[Geoserver-devel] [JIRA] (GEOS-8252) Security issue - access any local server file from wep interface

Alexey Vlasov created an issue

GeoServer / GEOS-8252

Security issue - access any local server file from wep interface

Bug

2.7.2

Unassigned

11/Aug/17 3:05 PM

Medium

Alexey Vlasov

1. Login to Geoserver web panel
   2 Go to Settings - Global
2. Change logging profile to QUITE_LOGGING.properties
3. Change log location: replace “logs/geoserver.log” to “/etc/passwd”
4. Go to Geoserver Logs

Result: you will see “/etc/passwd” (and even download whole file by link below log text)
So it’s possible to read and display any local file from server with only geoserver web interface

Add Comment

Get JIRA notifications on your phone! Download the JIRA Cloud app for Android or iOS

This message was sent by Atlassian JIRA (v1000.1169.1#100058-sha1:a86f419)