The system or application is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object. This test will accept input of a file to read, but prohibits access to file in the /etc directory. The input generates an equivalent name /////etc/////passwd which bypasses the filter. org.mortbay.jetty.plus.Server:org.apache.lenya.util.HTML:$SS_TC_ROOT/install/build/lenya/webapp/sitemap.xmap $SS_TC_ROOT/$SS_TC_INSTALL/tools/loader:$SS_TC_DEPS/java/stonesoup/socket/*:$SS_TC_DEPS/java/stonesoup/lttng/lttng-stonesoup-0.1.jar $SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/resources:$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib/endorsed:$SS_TC_DEPS/java/lenya:$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib:$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib/endorsed:$SS_TC_ROOT/$SS_TC_INSTALL/tools/configure/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/lib UNSPECIFIED UNSPECIFIED env LENYA_HOME="$SS_TC_ROOT/$SS_TC_INSTALL" LENYA_WEBAPP_HOME="$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp" JETTY_PORT="8888" JETTY_ADMIN_PORT="8889" java $SS_JAVA_OPTS -Djava.library.path=$SS_TC_DEPS/lib64/ -Xms32M -Xmx512M -Djava.awt.headless=true -cp "$SS_JAVA_CLASSPATH" -Djava.endorsed.dirs=$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib/endorsed -Dorg.xml.sax.parser=org.apache.xerces.parsers.SAXParser -Djetty.port=8888 -Dloader.jar.repositories=$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/resources:$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib/endorsed -Dwebapp=$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp -Dhome=$SS_TC_ROOT/$SS_TC_INSTALL -Dorg.mortbay.util.URI.charset=ISO-8859-1 -Dloader.main.class=org.mortbay.jetty.plus.Server Loader $SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/conf/main.xml env ANT_HOME=$SS_TC_DEPS/ant ant -v $SS_ANT_OPTS -Dstonesoup.database.postgres.required=no -Dstonesoup.hibernate.postgres.required=no -Dstonesoup.hibernate.mysql.required=no -Dstonesoup.database.mysql.required=no -Dstonesoup.socket.required=yes -lib $SS_TC_DEPS/java/stonesoup/lttng/lttng-stonesoup-0.1.jar -Dstonesoup.socket.lib.dir="$SS_TC_DEPS/java/stonesoup/socket" -Dstonesoup.hibernate.mysql.lib.dir="$SS_TC_DEPS/java/stonesoup/hibernate/mysql" -Dstonesoup.hibernate.postgres.lib.dir="$SS_TC_DEPS/java/stonesoup/hibernate/postgres" -Dstonesoup.database.mysql.lib.dir="$SS_TC_DEPS/java/stonesoup/database/mysql" -Dstonesoup.database.postgres.lib.dir="$SS_TC_DEPS/java/stonesoup/database/postgres" -Dstonesoup.lttng.lib.dir="$SS_TC_DEPS/java/stonesoup/lttng" -Dstonesoup.lttng.dummy.lib.dir="$SS_TC_DEPS/java/stonesoup/lttng-dummy" -lib "$SS_TC_DEPS/java/lenya" -Dsrc.java.version="1.5" -Dlib.dir="$SS_TC_DEPS/java/lenya" -Ddist.root="$SS_TC_ROOT/$SS_TC_INSTALL" -Djava.endorsed.dirs="$SS_TC_ROOT/src/externals/cocoon_2_1_x/lib/endorsed" -Ddist.bin.dir="$SS_TC_ROOT/$SS_TC_INSTALL" prepare-dist-bin mkdir -p $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp cp $SS_TC_ROOT/$SS_TC_INSTALL/lenya.war $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/ (cd $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp && jar -xf lenya.war) mkdir -p $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/logs rm $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/lenya.war open firefox and browse to default page Environment variable defining test value. NONE $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so GOOD-01 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-01/output.txt DOES_NOT_RETURN CONTROLLED_EXIT Create a publication Environment variable defining test value. NONE $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so GOOD-02 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-02/output.txt DOES_NOT_RETURN CONTROLLED_EXIT Create publication and log in Environment variable defining test value. NONE $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so GOOD-03 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-03/output.txt DOES_NOT_RETURN CONTROLLED_EXIT edit with KUPU editor Environment variable defining test value. NONE $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so GOOD-04 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-04/output.txt DOES_NOT_RETURN CONTROLLED_EXIT edit with BXE editor Environment variable defining test value. NONE $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so GOOD-05 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-05/output.txt DOES_NOT_RETURN CONTROLLED_EXIT edit using "with forms" editor Environment variable defining test value. NONE $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so GOOD-06 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-06/output.txt DOES_NOT_RETURN CONTROLLED_EXIT test publishing to live site Environment variable defining test value. NONE $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so GOOD-07 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-07/output.txt DOES_NOT_RETURN CONTROLLED_EXIT test private message system Environment variable defining test value. NONE $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so GOOD-08 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-08/output.txt DOES_NOT_RETURN CONTROLLED_EXIT create new xhtml page Environment variable defining test value. NONE $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so GOOD-09 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-09/output.txt DOES_NOT_RETURN CONTROLLED_EXIT test RSS feed generation Environment variable defining test value. NONE $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so GOOD-10 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-10/output.txt DOES_NOT_RETURN CONTROLLED_EXIT Environment variable defining test value. READ_APPLICATION_DATA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so weakness_started_d7dWvrN3RbMpPEpGuQdD AND ((NOT PERFORMER AND (etc_passwd_line_pattern_j6U15X2c3X OR etc_passwd_root_user_E2vwQhQ4ro OR etc_group_line_pattern_i5EYlC16QK) AND NOT timeout_5zNBssrNqL) or (PERFORMER AND NOT ((etc_passwd_line_pattern_j6U15X2c3X OR etc_passwd_root_user_E2vwQhQ4ro OR etc_group_line_pattern_i5EYlC16QK) OR timeout_5zNBssrNqL OR controlled_exit_FDIShXdWUy))) (NOT PERFORMER AND (etc_passwd_line_pattern_j6U15X2c3X OR etc_passwd_root_user_E2vwQhQ4ro OR etc_group_line_pattern_i5EYlC16QK) AND NOT timeout_5zNBssrNqL) or (PERFORMER AND NOT ((etc_passwd_line_pattern_j6U15X2c3X OR etc_passwd_root_user_E2vwQhQ4ro OR etc_group_line_pattern_i5EYlC16QK) OR timeout_5zNBssrNqL OR controlled_exit_FDIShXdWUy)) DOES_NOT_RETURN CONTROLLED_EXIT CONTINUED_EXECUTION logfile.txt .+:.+:[0-9]+:[0-9]+:.+:.+:.* logfile.txt ^root:.* logfile.txt .+:x:[0-9]+: None stonesoup_trace:weakness_start Environment variable defining test value. READ_APPLICATION_DATA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so weakness_started_nMa2UhoGojmEGD98yDeE AND ((NOT PERFORMER AND (etc_passwd_line_pattern_XnVbylwd6V OR etc_passwd_root_user_KSX6Xjh4HY OR etc_group_line_pattern_D0ztiTIv1X) AND NOT timeout_SWM6mVOkMj) or (PERFORMER AND NOT ((etc_passwd_line_pattern_XnVbylwd6V OR etc_passwd_root_user_KSX6Xjh4HY OR etc_group_line_pattern_D0ztiTIv1X) OR timeout_SWM6mVOkMj OR controlled_exit_eg0GAEJuS2))) (NOT PERFORMER AND (etc_passwd_line_pattern_XnVbylwd6V OR etc_passwd_root_user_KSX6Xjh4HY OR etc_group_line_pattern_D0ztiTIv1X) AND NOT timeout_SWM6mVOkMj) or (PERFORMER AND NOT ((etc_passwd_line_pattern_XnVbylwd6V OR etc_passwd_root_user_KSX6Xjh4HY OR etc_group_line_pattern_D0ztiTIv1X) OR timeout_SWM6mVOkMj OR controlled_exit_eg0GAEJuS2)) DOES_NOT_RETURN CONTROLLED_EXIT CONTINUED_EXECUTION logfile.txt .+:.+:[0-9]+:[0-9]+:.+:.+:.* logfile.txt ^root:.* logfile.txt .+:x:[0-9]+: None stonesoup_trace:weakness_start