You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For authenticated users Majestic's built-in http-server allows to download any files from any path of filesystem if file not found in http root directory. It looks like Majestic trying to search such files from fs-root ("/"). So http-root not limited to /var/www/. This probably is security issue.
Expectations
If url points to file, not existing in http-root directory (/var/www/), http server must return 404 error. Of cource exept special url-paths, like statistics.
Steps to reproduce
Try to http-get any file, that not exists in /var/www/ by it absolute path.
http://[camera_ip]/etc/passwd
http://[camera_ip]/etc/shadow
The text was updated successfully, but these errors were encountered:
Issue description
For authenticated users Majestic's built-in http-server allows to download any files from any path of filesystem if file not found in http root directory. It looks like Majestic trying to search such files from fs-root ("/"). So http-root not limited to /var/www/. This probably is security issue.
Expectations
If url points to file, not existing in http-root directory (/var/www/), http server must return 404 error. Of cource exept special url-paths, like statistics.
Steps to reproduce
Try to http-get any file, that not exists in /var/www/ by it absolute path.
http://[camera_ip]/etc/passwd
http://[camera_ip]/etc/shadow
The text was updated successfully, but these errors were encountered: