Everyone knowing a running and accessible Sahi Proxy can read and write files, the Sahi Proxy's user has access to. https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure https://www.owasp.org/index.php/Path_traversal E.g. could someone get my public key by requesting [http://myIp:9999/_s_/dyn/ConfigureUI_readFile?fileName=../../../../.ssh/id_rsa](http://myIp:9999/_s_/dyn/ConfigureUI_readFile?fileName=../../../../.ssh/id_rsa) Related files from Sahis orignal repository: http://sourceforge.net/p/sahi/code/HEAD/tree/trunk/sahi/src/net/sf/sahi/command/Debug.java#l38 http://sourceforge.net/p/sahi/code/HEAD/tree/trunk/sahi/src/net/sf/sahi/command/ConfigureUI.java#l17 http://sourceforge.net/p/sahi/code/HEAD/tree/trunk/sahi/src/net/sf/sahi/command/ConfigureUI.java#l23
Everyone knowing a running and accessible Sahi Proxy can read and write files, the Sahi Proxy's user has access to.
https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure
https://www.owasp.org/index.php/Path_traversal
E.g. could someone get my public key by requesting http://myIp:9999/s/dyn/ConfigureUI_readFile?fileName=../../../../.ssh/id_rsa
Related files from Sahis orignal repository:
http://sourceforge.net/p/sahi/code/HEAD/tree/trunk/sahi/src/net/sf/sahi/command/Debug.java#l38
http://sourceforge.net/p/sahi/code/HEAD/tree/trunk/sahi/src/net/sf/sahi/command/ConfigureUI.java#l17
http://sourceforge.net/p/sahi/code/HEAD/tree/trunk/sahi/src/net/sf/sahi/command/ConfigureUI.java#l23