0000345: Show source feature can show any file on filesystem

ID	Project	Category	View Status	Date Submitted	Last Update
0000345	mantisbt	security	public	2001-03-06 19:08	2001-04-08 22:50

Reporter	lsd	Assigned To	prescience
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed

Summary	0000345: Show source feature can show any file on filesystem
Description	When the show source feature is enabled, and user allowed to use it can view any file on the filesystem using the show_source_page.php script by calling it manually and specifying the file to view on the url.
Tags	No tags attached.

prescience 2001-03-06 19:18 reporter ~0000531	This is true. Admins should probably never set the access level to 2. I'll make a larger note of it. Also, I can probably improve things a bit by making the "Show Source" link a form button with a hidden field. Actually, I should probably just remove level 2 access.

lsd 2001-03-06 19:27 reporter ~0000532	That's cool - it's just that when it is enabled, it lets you go to URLs like show_source_page.php?f_url=/etc/passwd and things like that - basically anything accessible to the web server account. Since it's just a nicety though, i guess it's not really worth fixing when it can be disabled :)

prescience 2001-03-06 19:32 reporter ~0000533	Yeah, I use it for debug purposes quite often. I can probably do some checks to see if the file you request is in the document root or not.

prescience 2001-04-08 22:50 reporter ~0000665	Fixed in 0.15.0 I've made it so only the administrator can view the source. The option is now off by default. Big warning messages are attached.