Security issue - access any local server file from web interface (requires admin access)

Description

1. Login to Geoserver web panel
2 Go to Settings - Global
3. Change logging profile to QUIET_LOGGING.properties
4. Change log location: replace "logs/geoserver.log" to "/etc/passwd"
5. Go to Geoserver Logs

Result: you will see "/etc/passwd" (and even download whole file by link below log text)
So it's possible to read and display any local file from server with only geoserver web interface

Environment

None

Status

Assignee

Unassigned

Reporter

Alexey Vlasov

Triage

None

Fix versions

None

Affects versions

2.11.2
2.12-beta
2.7.2
2.10.4

Components

Priority

Medium
Configure