The system or application is vulnerable to file system contents
disclosure through path equivalence. Path equivalence involves the
use of special characters in file and directory names. The associated
manipulations are intended to generate multiple names for the same
object. This test will accept input of a file to read, but prohibits access
to file in the /etc directory. The input generates an equivalent name
/////etc/////passwd which bypasses the filter.
org.mortbay.jetty.plus.Server:org.apache.lenya.util.HTML:$SS_TC_ROOT/install/build/lenya/webapp/sitemap.xmap
$SS_TC_ROOT/$SS_TC_INSTALL/tools/loader:$SS_TC_DEPS/java/stonesoup/socket/*:$SS_TC_DEPS/java/stonesoup/lttng/lttng-stonesoup-0.1.jar
$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/resources:$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib/endorsed:$SS_TC_DEPS/java/lenya:$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib:$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib/endorsed:$SS_TC_ROOT/$SS_TC_INSTALL/tools/configure/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/lib
UNSPECIFIED
UNSPECIFIED
env LENYA_HOME="$SS_TC_ROOT/$SS_TC_INSTALL" LENYA_WEBAPP_HOME="$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp" JETTY_PORT="8888" JETTY_ADMIN_PORT="8889" java $SS_JAVA_OPTS -Djava.library.path=$SS_TC_DEPS/lib64/ -Xms32M -Xmx512M -Djava.awt.headless=true -cp "$SS_JAVA_CLASSPATH" -Djava.endorsed.dirs=$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib/endorsed -Dorg.xml.sax.parser=org.apache.xerces.parsers.SAXParser -Djetty.port=8888 -Dloader.jar.repositories=$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/resources:$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib/endorsed -Dwebapp=$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp -Dhome=$SS_TC_ROOT/$SS_TC_INSTALL -Dorg.mortbay.util.URI.charset=ISO-8859-1 -Dloader.main.class=org.mortbay.jetty.plus.Server Loader $SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/conf/main.xml
env ANT_HOME=$SS_TC_DEPS/ant ant -v $SS_ANT_OPTS -Dstonesoup.database.postgres.required=no -Dstonesoup.hibernate.postgres.required=no -Dstonesoup.hibernate.mysql.required=no -Dstonesoup.database.mysql.required=no -Dstonesoup.socket.required=yes -lib $SS_TC_DEPS/java/stonesoup/lttng/lttng-stonesoup-0.1.jar -Dstonesoup.socket.lib.dir="$SS_TC_DEPS/java/stonesoup/socket" -Dstonesoup.hibernate.mysql.lib.dir="$SS_TC_DEPS/java/stonesoup/hibernate/mysql" -Dstonesoup.hibernate.postgres.lib.dir="$SS_TC_DEPS/java/stonesoup/hibernate/postgres" -Dstonesoup.database.mysql.lib.dir="$SS_TC_DEPS/java/stonesoup/database/mysql" -Dstonesoup.database.postgres.lib.dir="$SS_TC_DEPS/java/stonesoup/database/postgres" -Dstonesoup.lttng.lib.dir="$SS_TC_DEPS/java/stonesoup/lttng" -Dstonesoup.lttng.dummy.lib.dir="$SS_TC_DEPS/java/stonesoup/lttng-dummy" -lib "$SS_TC_DEPS/java/lenya" -Dsrc.java.version="1.5" -Dlib.dir="$SS_TC_DEPS/java/lenya" -Ddist.root="$SS_TC_ROOT/$SS_TC_INSTALL" -Djava.endorsed.dirs="$SS_TC_ROOT/src/externals/cocoon_2_1_x/lib/endorsed" -Ddist.bin.dir="$SS_TC_ROOT/$SS_TC_INSTALL" prepare-dist-bin
mkdir -p $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp
cp $SS_TC_ROOT/$SS_TC_INSTALL/lenya.war $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/
(cd $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp && jar -xf lenya.war)
mkdir -p $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/logs
rm $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/lenya.war
open firefox and browse to default page
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-01 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-01/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
Create a publication
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-02 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-02/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
Create publication and log in
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-03 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-03/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
edit with KUPU editor
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-04 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-04/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
edit with BXE editor
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-05 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-05/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
edit using "with forms" editor
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-06 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-06/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
test publishing to live site
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-07 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-07/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
test private message system
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-08 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-08/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
create new xhtml page
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-09 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-09/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
test RSS feed generation
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-10 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-10/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
Environment variable defining test value.
READ_APPLICATION_DATA
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
weakness_started_nMCAtW3SWV1hCZeDqfTk AND ((NOT PERFORMER AND (etc_passwd_line_pattern_vKtyA6oK7I OR etc_passwd_root_user_bZDpUDxFVL OR etc_group_line_pattern_yrTOl3weXz) AND NOT timeout_YtUt0t1nOk) or (PERFORMER AND NOT ((etc_passwd_line_pattern_vKtyA6oK7I OR etc_passwd_root_user_bZDpUDxFVL OR etc_group_line_pattern_yrTOl3weXz) OR timeout_YtUt0t1nOk OR controlled_exit_1WBYG6VnWn)))
(NOT PERFORMER AND (etc_passwd_line_pattern_vKtyA6oK7I OR etc_passwd_root_user_bZDpUDxFVL OR etc_group_line_pattern_yrTOl3weXz) AND NOT timeout_YtUt0t1nOk) or (PERFORMER AND NOT ((etc_passwd_line_pattern_vKtyA6oK7I OR etc_passwd_root_user_bZDpUDxFVL OR etc_group_line_pattern_yrTOl3weXz) OR timeout_YtUt0t1nOk OR controlled_exit_1WBYG6VnWn))
DOES_NOT_RETURN
CONTROLLED_EXIT
CONTINUED_EXECUTION
logfile.txt
.+:.+:[0-9]+:[0-9]+:.+:.+:.*
logfile.txt
^root:.*
logfile.txt
.+:x:[0-9]+:
None
stonesoup_trace:weakness_start
Environment variable defining test value.
READ_APPLICATION_DATA
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
weakness_started_Xbj39x2CrAnXNKp8GrhR AND ((NOT PERFORMER AND (etc_passwd_line_pattern_kK3IUTLSdv OR etc_passwd_root_user_z2R9rm1l2L OR etc_group_line_pattern_Bf2n6rlhgl) AND NOT timeout_yS33yIy8gi) or (PERFORMER AND NOT ((etc_passwd_line_pattern_kK3IUTLSdv OR etc_passwd_root_user_z2R9rm1l2L OR etc_group_line_pattern_Bf2n6rlhgl) OR timeout_yS33yIy8gi OR controlled_exit_g3dizjLw8A)))
(NOT PERFORMER AND (etc_passwd_line_pattern_kK3IUTLSdv OR etc_passwd_root_user_z2R9rm1l2L OR etc_group_line_pattern_Bf2n6rlhgl) AND NOT timeout_yS33yIy8gi) or (PERFORMER AND NOT ((etc_passwd_line_pattern_kK3IUTLSdv OR etc_passwd_root_user_z2R9rm1l2L OR etc_group_line_pattern_Bf2n6rlhgl) OR timeout_yS33yIy8gi OR controlled_exit_g3dizjLw8A))
DOES_NOT_RETURN
CONTROLLED_EXIT
CONTINUED_EXECUTION
logfile.txt
.+:.+:[0-9]+:[0-9]+:.+:.+:.*
logfile.txt
^root:.*
logfile.txt
.+:x:[0-9]+:
None
stonesoup_trace:weakness_start