Details
Details
Assignee
Reporter
Edit Screen Preamble
<div class="notify info" style="margin-bottom: 10px;">
If you are a Pentaho customer, please use the <a href="http://support.pentaho.com">Customer Support portal</a> to log issues.
<p />
This system is used for logging bugs and enhancement requests only. Please use our <a href="https://community.pentaho.com">community at https://community.pentaho.com</a> if you have questions, configuration issues, or have an issue with a marketplace plugin as Pentaho does not support marketplace plugins unless written by Pentaho.
<p />
Lastly, when creating a bug, please provide as much detail as possible. To prevent unnecessary delays in reviewing your issue, please attach complete server logs, SQL/MDX logs where applicable, schemas, etc. Also, screen-shots and screen-cams are especially helpful in demonstrating the issue.
<p />
Thank-you so much,<br />
The Pentaho Team
</div>
Notice
<div class="notify info" style="margin-bottom: 10px;">
When an issue is open, the "Fix Version/s" field conveys a target, not necessarily a commitment. When an issue is closed, the "Fix Version/s" field conveys the version that the issue was fixed in.
</div>
CVE
Story Points
Fix versions
Priority
Unknown
By using "../", one can access any file that exists on the local file system where Pentaho Server is running.
My scenario:
Pentaho Server location: C:\Pentaho\Xpto\server
A valid file named "should_not_be_accessible.js" was put at "C:\tmp"
After starting Pentaho Server, go to "http://localhost:8080/pentaho/plugin/cgg/api/services/draw?script=/system/analyzer/../../../../../../../tmp/should_not_be_accessible.js"
Result: the chart is rendered (and it shouldn't)
Note that the number of "../" groups varies depending on the location of the installation.