View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001880 | OXID eShop (all versions) | 4.07. Source code, Test | public | 2010-06-04 11:28 | 2012-12-10 13:45 |
| Reporter | andreas_ziethen | Assigned To | |||
| Priority | high | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.3.2 revision 27884 | ||||
| Fixed in Version | 4.4.0 revision 28699 | ||||
| Summary | 0001880: contents of tmp directory are browser-readable | ||||
| Description | All the .txt files in /tmp are accessible via browser. For example with http://demoshop.oxid-esales.com/professional-edition/tmp/oxpec_oxarticles_allfields_1.txt you can get a nice list with all fields of table oxarticles which could give a potential injection hacker helpful information. In EE-context you can even read the tbdsc .txt files which give you the whole table description, which is delicious info for sql injection. htaccess file should be modified to prevent this. | ||||
| Tags | No tags attached. | ||||
| Theme | |||||
| Browser | All | ||||
| PHP Version | any | ||||
| Database Version | any | ||||
| related to | 0001902 | resolved | ramunas.skarbalius | Include rewrite rule to main htaccess file to not allow listing files in tmp dir |
