Public webdav url is vulnerable with full path disclosure

[TomasKulhanek]

https://www.owasp.org/index.php/Full_Path_Disclosure
the path url contains path within user context e.g. https://portal.west-life.egi/webdav/ABCDefg123/b2drop/myfile.txt which discloses path to other user files. It should be better https://portal.west-life.egi/webdav/ABCDefg/myfile.txt

[TomasKulhanek]

Additionally, private deployment allows to browse content of another user.

[TomasKulhanek]

• use apache mod_rewrite rule to redirect /webdav/$path to /filesystem/user/$path
• use apache mod_rewrite https://httpd.apache.org/docs/2.4/rewrite/rewritemap.html to define custom mapping between random hash and /webdavpublic/hash/file to /filesystem/user/path/file hash = user/path

[TomasKulhanek]

Still present in public portal

[TomasKulhanek]

• switch metadata service to provide fixed path
• redirect, proxy /webdav and /public_webdav to the VF container

[TomasKulhanek]

public as well as private url's are not processed.

https://portal.west-life.eu/public_webdav/XMD8Nf76XM57OGpmAapB880F+IQFpR2YQO5JQag6Rfwes8zTkUgMbEjU3nSoEkAjinfZS+ut7tsB0MLW4b087Bv4K05b46ZMwgx33mUHaaI=/2hhd.pdb
return HTTP 404 Not Found.

[francoisruty]

Hello, the 404 is returned by httpd inside the virtualfolder /var/log/httpd/access_log : 10.8.0.2 - - [14/Sep/2018:14:56:08 +0000] "GET /public_webdav/XMD8Nf76XM57OGpmAapB880F+IQFpR2YQO5JQag6Rfwes8zTkUgMbEjU3nSoEkAjinfZS+ut7tsB0MLW4b087Bv4K05b46ZMwgx33mUHaaI=/2hhd.pdb HTTP/1.1" 404 329 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" any idea? -- François Ruty +33 (0)6 73 44 76 69 [email protected]

…

On Fri, Sep 14, 2018 at 10:46 AM Tomas Kulhanek ***@***.***> wrote: public as well as private url's are not processed. https://portal.west-life.eu/public_webdav/XMD8Nf76XM57OGpmAapB880F+IQFpR2YQO5JQag6Rfwes8zTkUgMbEjU3nSoEkAjinfZS+ut7tsB0MLW4b087Bv4K05b46ZMwgx33mUHaaI=/2hhd.pdb return HTTP 404 Not Found. — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#64 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACsfFJNuQKO_Ti6RIxnpUFcPBz-lzws4ks5ua2zQgaJpZM4TR3aS> .

[TomasKulhanek]

Fixed.

[TomasKulhanek]

This issue seems to be again in place. Generated url allows browse root of all virtual folders. Check that apache config
RewriteMap davredir prg:/opt/virtualfolder/MetadataService/webdavhash2path
is in place and that the webdavhash2path decodes the path correctly.
Probably introduce fix that will prevent zero or error returned by webdavhash2path to redirect to root.