File browser may be blocked because of possible "Path traversal" attack
|Reported by:||wwalc||Owned by:||alfonsoml|
In Apache, mod_security is usually installed (http://www.modsecurity.org/) - it is commonly used to detect and prevent against possible attacks. Quick example from official mod_security site (http://www.modsecurity.org/documentation/quick-examples.html):
# Prevent path traversal (..) attacks SecFilter "\.\./"
Similar rule is available in a "Apache 2.x rules" at http://www.gotroot.com/:
##generic recursion signatures SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'" SecRule REQUEST_URI "\.\./\.\./" #generic path recurision si
The problem is that ../.. is used by FCKeditor:
so it may be blocked in rare cases.
We should avoid passing ".." in urls.
Change History (6)
Changed 9 years ago by alfonsoml
comment:2 Changed 9 years ago by alfonsoml
- Keywords Review? added
- Owner set to alfonsoml
- Status changed from new to assigned
comment:4 Changed 9 years ago by wwalc
- Resolution set to fixed
- Status changed from assigned to closed