Re: CVE request: didiwiki path traversal vulnerability

[Ignace Mouzannar <mouzannar () gmail com>]

Hi,

Thanks you for your reply.

On Fri, Feb 19, 2016 at 10:49 AM,  <cve-assign () mitre org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > https://github.com/OpenedHand/didiwiki/pull/1/files
> > curl http://localhost:8000/api/page/get?page=/etc/passwd
>
> We aren't sure about the need for CVE IDs for this product because it
> doesn't seem to advertise any security properties, e.g.,
>
>   https://github.com/OpenedHand/didiwiki/blob/master/README
>   "Its probably not very secure at all."
>
> We can assign a CVE ID if there is going to be a DSA.

The Debian Security team is planning on publishing a DSA, as this
package is available in the (old)stable version of Debian.

> One concern is that the design may not be intended for environments
> with untrusted clients, and many other issues may be found. Also, we
> aren't sure about the patch:
>
> +   if (!isalnum(page_name[0]))
> +        return FALSE;
> +
> +    if (strstr(page_name, ".."))
> +         return FALSE;
>
> e.g., what about C:\file.txt if it's possible to build this on Windows.

I admit not having looked into Windows (I am the package maintainer on
Debian). For the record, didiwiki has not been packaged for Windows,
and upstream has been MIA for a while now. So I'm not sure it is
usable/used on Windows,

Cheers,
 Ignace M