Bug 1748283 - Path traversal in LDIF export
Summary: Path traversal in LDIF export
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: cockpit-389-ds
Version: 11.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: mreynolds
QA Contact: RHDS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-03 09:48 UTC by Viktor Ashirov
Modified: 2019-11-06 12:42 UTC (History)
6 users (show)

Fixed In Version: 389-ds-base-1.4.1.7-1.module+el8dsrv+4200+233a821d
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-06 12:42:20 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:3731 0 None None None 2019-11-06 12:42:31 UTC

Description Viktor Ashirov 2019-09-03 09:48:36 UTC
Description of problem:
It's possible to put a full path or relative path in LDIF export modal dialog, allowing to write to any location that dirsrv user can, including overwriting its own configuration files, like dse.ldif 

Version-Release number of selected component (if applicable):
389-ds-base-1.4.1.6-2.module+el8dsrv+3912+aa2ce078.x86_64


How reproducible:
always

Steps to Reproduce:
1. Database -> Backups & LDIFs -> Create LDIF export
2. Put /etc/dirsrv/slapd-test/dse.ldif or ../../../../../../etc/dirsrv/slapd-test/dse.ldif
3. Press Create LDIF

Actual results:
The ldif export is written to this filename

Expected results:
Export should be allowed only to default ldif export dir.

Additional info:
When a path is given that dirsrv can't write to, it gives a correct error:

Error exporting database - Export task failed
-------------------------
Beginning export of 'userRoot'
Backend userRoot: can't open /etc/sdfsdf.ldif: 13 (Permission denied) while running as user "dirsrv"
backend 'userRoot' export failed (-1)
Export failed.

Comment 2 Viktor Ashirov 2019-09-27 13:07:20 UTC
Builds tested:                                                                                                                                                 
389-ds-base-1.4.1.9-1.module+el8dsrv+4243+ba0eb3c6.x86_64                                                                                                      
cockpit-389-ds-1.4.1.9-1.module+el8dsrv+4243+ba0eb3c6.noarch  

Reproducer from comment #0 no longer works and user is presented with a message:
"LDIF name should not be a path. All export files are stored in the server's LDIF directory"


Marking as VERIFIED.

Comment 4 errata-xmlrpc 2019-11-06 12:42:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3731


Note You need to log in before you can comment on or make changes to this bug.