Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-2445

XMLUI Directory Traversal Vulnerability



    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 3.0, 3.1, 3.2, 3.3, 4.0, 4.1, 4.2, 5.0
    • Fix Version/s: 3.4 , 4.3, 5.1
    • Component/s: XMLUI
    • Labels:
    • Attachments:
    • Comments:
    • Documentation Status:
      Not Required


      == What is the problem? Who is affected? ==

      In some configurations, the XMLUI's "static/" and "themes/" paths allow access to traverse and publicly access files on your local filesystem. However, only files which are readable by the Tomcat user account (i.e. the user Tomcat runs as) are accessible.

      These are actually two very similar, related issues, but one has more severity:

      [Vulnerability #1 - Severity: HIGH] The "static/" path is vulnerable to a full directory traversal. This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace website. However, NOT all sites are affected by this issue. To see if you are affected, paste the following on the end of your DSpace URL (if vulnerable, you should see your filesystem's "/etc/passwd" file). If affected, a similar URL pattern would allow for access to any other file accessible to the Tomcat user account on your filesystem.


      This vulnerability was initially discovered by Khalil Shreateh and documented on this blog post (in the "XMLUI (Cocoon/XSLT)" section):

      [Vulnerability #2 - Severity: MEDIUM] The "themes/" path is vulnerable to a partial directory traversal, only of files under the "xmlui" webapp directory on your filesystem. All sites are affected by this issue. To see this issue in action, paste the following on the end of your DSpace URL (this should display your site's "web.xml":

      This vulnerability was discovered by DSpace Committers while investigating the other XMLUI vulnerability.

      == What is the fix? ==

      There is a "quick fix" which may resolve Vulnerability #1 (for some configurations of Tomcat), and a much more secure "patch" (which resolves both issues).

      [Quick Fix] Based on your Tomcat configuration and setup, for some sites, simply setting "allowLinking=false" (default value) in your Tomcat <Context> may provide a "quick fix" to the more severe Vulnerability #1. However, this does not seem to work for all Tomcat configurations. In general, we do recommend always setting "allowLinking=false". In the Tomcat documentation, setting "allowLinking=false" is also recommended: https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Context

      [Permanent Fix] Install the attached patch and rebuild & redeploy DSpace. This patch closes up several "holes" in the Cocoon ResourceReader (and similar) classes in the XMLUI. These classes were not properly protecting against URL hacks, and also provided direct access to XMLUI configurations and themes (which made URL hacks easier to determine). This patch provides protection against these URL hacks and locks down all access to XMLUI configurations and themes (thus also fixing DS-2130 and DS-1896)

      • Applying the patch on Linux is usually just: "cd [dspace-src]; patch -p1 < DS-2445.patch"


          Issue Links



              tdonohue Tim Donohue
              tdonohue Tim Donohue
              0 Vote for this issue
              5 Start watching this issue