Back Midas Rome Roody Rootana
  Midas DAQ System  Not logged in ELOG logo
Entry  18 Jul 2023, Gennaro Tortone, Bug Report, access to filesystem through mhttpd 
    Reply  18 Jul 2023, Konstantin Olchanski, Bug Report, access to filesystem through mhttpd 
       Reply  19 Jul 2023, Zaher Salman, Bug Report, access to filesystem through mhttpd 
Message ID: 2558     Entry time: 19 Jul 2023     In reply to: 2557
Author: Zaher Salman 
Topic: Bug Report 
Subject: access to filesystem through mhttpd 
Have you actually been able to read /etc/passwd this way? I tested this on a few of our servers and it does not work. As far as I know, there is access to files in resources, custom pages etc.

Other possible ways to access the file system is via mjsonrpc calls, but again these are restricted to certain folders.

Can you please give us more details about this.

Zaher

> > (e.g. http://midas.host:8080/etc/passwd)
> 
> not again! I complained about this before, and I added a fix, but it must be broken again.
> 
> getting a copy of /etc/passwd is reasonably benign, but getting a copy of 
> /home/$USER/.ssh/id_rsa, id_rsa.pub, knownhosts and authorized_keys is a disaster.
> 
> (running mhttpd behind a web proxy does not solve the problem, number of attackers is 
> reduced to only the people who know the proxy password and to local users).
> 
> K.O.
ELOG V3.1.4-2e1708b5