Sign in
Security notice: [TBGSN-001-1] Local file inclusion vulnerability
More details available in issue #1826

19th November, 2012 – A security issue has been discovered in The Bug Genie allowing anyone to include local files outside the main webroot folder.

The following versions are affected:

  • The Bug Genie 3.2.0 - 3.2.3
  • The Bug Genie 3.1.x

Details

Severity
The Bug Genie team has rated this security issue "High".
Security issues rated "High" includes issues that allow for using The Bug Genie as a way to gain access to information outside The Bug Genie, but does not allow for local or remote code execution or inclusion.
Resolution
The issue has been identified and a fix has been committed to the code repository.
  • If you are running version 3.2.x: An updated release (3.2.4) has been made available for version 3.2, fixing the issue. Please review the release announcement and upgrade as soon as possible.
  • If you are running version 3.1.x: A fix has been committed to the 3.1 branch. Keep in mind that version 3.1.x is no longer supported, and that you will need apply this fix on your own. We strongly recommend you upgrade to version 3.2.4
Description
The CSS and JS minifier and content server part of The Bug Genie was introduced in version 3.1 and was meant to allow for better caching and control over the included CSS and JS (the minifier and content server will be discontinued in version 3.3 and replaced with a better solution). This content server operates on a hashed file list string meant to include all css and js files referenced in the current version.

Although there is a simple check for whether the included JS or CSS file exists, the file list was location checked before each file was included. This meant you could craft a URL referencing files outside the webroot directory. For more information and details, see the linked issue in the header.

The Bug Genie team wishes to thank Prajal Kulkarni - http://www.prajalkulkarni.com/ - for responsibly disclosing the issue to us, allowing time for developing a fix and synchronizing the updated release and security announcement.

Get started
About
Resources
Connect
The Bug Genie - friendly issue tracking and project management since 2002