GMS-2021-52: Any storage file can be downloaded from p.sh if full server path is known

September 14, 2021

The default configuration for platform.sh (.platform.app.yaml) allows access to uploaded files if you know or can guess their location, regardless of whether roles grant content read access to the content containing those files. If you’re using Legacy Bridge, the default configuration also allows access to certain legacy files that should not be readable, including the legacy var directory and extension directories.

References

developers.ibexa.co/security-advisories/ibexa-sa-2021-006-storage-and-legacy-files-accessible-if-path-is-known
github.com/advisories/GHSA-gqcf-83rq-gpfr
github.com/ibexa/post-install/security/advisories/GHSA-gqcf-83rq-gpfr

Code Behaviors & Features

Detect and mitigate GMS-2021-52 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →