View Issue Details

IDProjectCategoryView StatusLast Update
0001880OXID eShop (all versions)4.07. Source code, Testpublic2012-12-10 13:45
Reporterandreas_ziethen 
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.3.2 revision 27884 
Target VersionFixed in Version4.4.0 revision 28699 
Summary0001880: contents of tmp directory are browser-readable
DescriptionAll the .txt files in /tmp are accessible via browser. For example with

http://demoshop.oxid-esales.com/professional-edition/tmp/oxpec_oxarticles_allfields_1.txt

you can get a nice list with all fields of table oxarticles which could give a potential injection hacker helpful information.
In EE-context you can even read the tbdsc .txt files which give you the whole table description, which is delicious info for sql injection.

htaccess file should be modified to prevent this.
TagsNo tags attached.
Theme
BrowserAll
PHP Versionany
Database Versionany

Relationships

related to 0001902 resolvedramunas.skarbalius Include rewrite rule to main htaccess file to not allow listing files in tmp dir 

Activities

arvydas_vapsva

2010-06-09 09:45

reporter   ~0003155

added htaccess file, which disables file access