Discovered/Noted by Andrea Bollini.
Vulnerability - Severity: MEDIUM The JSPUI edit news page can be use to view/edit any file accessible by the Tomcat user on the server. While this page is access restricted to DSpace Site Administrators, it still provides a dangerous level of access to the filesystem. It is especially dangerous if you are running multiple instances of DSpace (or other software) on the same server that is viewable/editable by the Tomcat user. This vulnerability has existed since DSpace 4.0.
How to replicate:
1. Visit http://demo.dspace.org/jspui/
2. Login as the Administrative user (it only works as a full Site Admin)
3. Visit http://demo.dspace.org/jspui/dspace-admin/news-edit (Administer -> General Settings -> Edit News)
4. Using Firebug (http://getfirebug.com/) or another client-side editing tool, change one of the <select> box <option> tags to have a value="dspace.cfg".
5. Now, select that option, and click the Edit button
6. You'll be sent to an editing page, and the contents of the server's "dspace.cfg" file will be shown.
(Sidenote: this does not affect the XMLUI, as it's currently not possible to edit the XMLUI news from the Admin UI)
- DSpace 4.x JSPUI users should upgrade to DSpace 4.5 (or 5.5), or apply the fix provided in this commit: https://github.com/DSpace/DSpace/commit/5061c41c215fe1999c2e41e095bcb3ce36072d99
- DSpace 5.x JSPUI users should upgrade to DSpace 5.5, or apply the fix provided in this commit: https://github.com/DSpace/DSpace/commit/a84763a2581566c358b4d203305145a38e86c3c6