NFS server misconfiguration allows file access outside the exported directory

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. There is a security issue with the NFS configuration in /etc/exports generated by the installer that allows an attacker to modify files outside the export in the default installation. The exports have the no_subtree_check option. The no_subtree_check option means that if a client performs a file operation, the server will only check if the requested file is on the correct filesystem, not if it is in the correct directory. This enables modifying files in /images, accessing other files on the same filesystem, and accessing files on other filesystems. This vulnerability is fixed in 1.5.10.30.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

不安全的缺省变量初始化

FOGProject 安全漏洞

FOGProject是FOGProject开源的一个免费的开源网络计算机克隆和管理解决方案。可用于部署和管理任何桌面操作系统。 FOGProject 1.5.10.30之前版本存在安全漏洞，该漏洞源于安装程序生成的/etc/exports中的NFS配置存在安全问题，允许攻击者在默认安装中修改导出之外的文件。

N/A

N/A