The system or application is vulnerable to file system contents
disclosure through path equivalence. Path equivalence involves the
use of special characters in file and directory names. The associated
manipulations are intended to generate multiple names for the same
object. This test will accept input of a file to read, but prohibits access
to file in the /etc directory. The input generates an equivalent name
/////etc/////passwd which bypasses the filter.
org.mortbay.jetty.plus.Server:org.apache.lenya.util.HTML:$SS_TC_ROOT/install/build/lenya/webapp/sitemap.xmap
$SS_TC_ROOT/$SS_TC_INSTALL/tools/loader:$SS_TC_DEPS/java/stonesoup/socket/*:$SS_TC_DEPS/java/stonesoup/lttng/lttng-stonesoup-0.1.jar
$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/resources:$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib/endorsed:$SS_TC_DEPS/java/lenya:$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib:$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib/endorsed:$SS_TC_ROOT/$SS_TC_INSTALL/tools/configure/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/lib
UNSPECIFIED
UNSPECIFIED
env LENYA_HOME="$SS_TC_ROOT/$SS_TC_INSTALL" LENYA_WEBAPP_HOME="$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp" JETTY_PORT="8888" JETTY_ADMIN_PORT="8889" java $SS_JAVA_OPTS -Djava.library.path=$SS_TC_DEPS/lib64/ -Xms32M -Xmx512M -Djava.awt.headless=true -cp "$SS_JAVA_CLASSPATH" -Djava.endorsed.dirs=$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib/endorsed -Dorg.xml.sax.parser=org.apache.xerces.parsers.SAXParser -Djetty.port=8888 -Dloader.jar.repositories=$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/lib:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/ext:$SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/extra/resources:$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/lib/endorsed -Dwebapp=$SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp -Dhome=$SS_TC_ROOT/$SS_TC_INSTALL -Dorg.mortbay.util.URI.charset=ISO-8859-1 -Dloader.main.class=org.mortbay.jetty.plus.Server Loader $SS_TC_ROOT/$SS_TC_INSTALL/tools/jetty/conf/main.xml
env ANT_HOME=$SS_TC_DEPS/ant ant -v $SS_ANT_OPTS -Dstonesoup.database.postgres.required=no -Dstonesoup.hibernate.postgres.required=no -Dstonesoup.hibernate.mysql.required=no -Dstonesoup.database.mysql.required=no -Dstonesoup.socket.required=yes -lib $SS_TC_DEPS/java/stonesoup/lttng/lttng-stonesoup-0.1.jar -Dstonesoup.socket.lib.dir="$SS_TC_DEPS/java/stonesoup/socket" -Dstonesoup.hibernate.mysql.lib.dir="$SS_TC_DEPS/java/stonesoup/hibernate/mysql" -Dstonesoup.hibernate.postgres.lib.dir="$SS_TC_DEPS/java/stonesoup/hibernate/postgres" -Dstonesoup.database.mysql.lib.dir="$SS_TC_DEPS/java/stonesoup/database/mysql" -Dstonesoup.database.postgres.lib.dir="$SS_TC_DEPS/java/stonesoup/database/postgres" -Dstonesoup.lttng.lib.dir="$SS_TC_DEPS/java/stonesoup/lttng" -Dstonesoup.lttng.dummy.lib.dir="$SS_TC_DEPS/java/stonesoup/lttng-dummy" -lib "$SS_TC_DEPS/java/lenya" -Dsrc.java.version="1.5" -Dlib.dir="$SS_TC_DEPS/java/lenya" -Ddist.root="$SS_TC_ROOT/$SS_TC_INSTALL" -Djava.endorsed.dirs="$SS_TC_ROOT/src/externals/cocoon_2_1_x/lib/endorsed" -Ddist.bin.dir="$SS_TC_ROOT/$SS_TC_INSTALL" prepare-dist-bin
mkdir -p $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp
cp $SS_TC_ROOT/$SS_TC_INSTALL/lenya.war $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/
(cd $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp && jar -xf lenya.war)
mkdir -p $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/WEB-INF/logs
rm $SS_TC_ROOT/$SS_TC_INSTALL/build/lenya/webapp/lenya.war
open firefox and browse to default page
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-01 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-01/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
Create a publication
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-02 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-02/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
Create publication and log in
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-03 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-03/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
edit with KUPU editor
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-04 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-04/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
edit with BXE editor
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-05 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-05/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
edit using "with forms" editor
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-06 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-06/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
test publishing to live site
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-07 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-07/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
test private message system
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-08 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-08/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
create new xhtml page
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-09 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-09/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
test RSS feed generation
Environment variable defining test value.
NONE
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
GOOD-10 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT
good-10/output.txt
DOES_NOT_RETURN
CONTROLLED_EXIT
Environment variable defining test value.
READ_APPLICATION_DATA
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
weakness_started_3WKsfuLCRJsADgePeVUn AND ((NOT PERFORMER AND (etc_passwd_line_pattern_hvHatIYsQ2 OR etc_passwd_root_user_kFvDm56aRi OR etc_group_line_pattern_5t9LYfSXj9) AND NOT timeout_TBObCDmbDo) or (PERFORMER AND NOT ((etc_passwd_line_pattern_hvHatIYsQ2 OR etc_passwd_root_user_kFvDm56aRi OR etc_group_line_pattern_5t9LYfSXj9) OR timeout_TBObCDmbDo OR controlled_exit_Z9ad3AoEWk)))
(NOT PERFORMER AND (etc_passwd_line_pattern_hvHatIYsQ2 OR etc_passwd_root_user_kFvDm56aRi OR etc_group_line_pattern_5t9LYfSXj9) AND NOT timeout_TBObCDmbDo) or (PERFORMER AND NOT ((etc_passwd_line_pattern_hvHatIYsQ2 OR etc_passwd_root_user_kFvDm56aRi OR etc_group_line_pattern_5t9LYfSXj9) OR timeout_TBObCDmbDo OR controlled_exit_Z9ad3AoEWk))
DOES_NOT_RETURN
CONTROLLED_EXIT
CONTINUED_EXECUTION
logfile.txt
.+:.+:[0-9]+:[0-9]+:.+:.+:.*
logfile.txt
^root:.*
logfile.txt
.+:x:[0-9]+:
None
stonesoup_trace:weakness_start
Environment variable defining test value.
READ_APPLICATION_DATA
$SS_TC_ROOT/logs/execute/lttng
$SS_TC_DEPS/lib64/liblttng-stonesoup-java.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so
weakness_started_IPSPXT9ogd3Hvcw4ginK AND ((NOT PERFORMER AND (etc_passwd_line_pattern_UzbVrlXPId OR etc_passwd_root_user_rMkfq8TQP7 OR etc_group_line_pattern_QSJ2u9WIo7) AND NOT timeout_6U925nDzL3) or (PERFORMER AND NOT ((etc_passwd_line_pattern_UzbVrlXPId OR etc_passwd_root_user_rMkfq8TQP7 OR etc_group_line_pattern_QSJ2u9WIo7) OR timeout_6U925nDzL3 OR controlled_exit_PQzcI5ju4r)))
(NOT PERFORMER AND (etc_passwd_line_pattern_UzbVrlXPId OR etc_passwd_root_user_rMkfq8TQP7 OR etc_group_line_pattern_QSJ2u9WIo7) AND NOT timeout_6U925nDzL3) or (PERFORMER AND NOT ((etc_passwd_line_pattern_UzbVrlXPId OR etc_passwd_root_user_rMkfq8TQP7 OR etc_group_line_pattern_QSJ2u9WIo7) OR timeout_6U925nDzL3 OR controlled_exit_PQzcI5ju4r))
DOES_NOT_RETURN
CONTROLLED_EXIT
CONTINUED_EXECUTION
logfile.txt
.+:.+:[0-9]+:[0-9]+:.+:.+:.*
logfile.txt
^root:.*
logfile.txt
.+:x:[0-9]+:
None
stonesoup_trace:weakness_start