lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
From: dirk at pirschel.de (Dirk Pirschel)
Subject: Security hole in Confixx backup script

Hi,

* Dirk Pirschel wrote on Fri, 25 Jun 2004 at 15:08 +0200:

> A malicious backup request via the webinterface might be used by any
> user to read files located in /root (which is the default installation
> directory of confixx).

Confixx does a "cd $dir; tar czf ..." without any error checking.  If
the target directory does not exist, the backup is done in the current
working directory, which is /root.

It is possible to retrieve *any* directory by replacing $HOME/files or
$HOME/html with a symlink.

> If you are using confixx, you should disable the backup script.

-Dirk

-- 
Linux - Life is too short for reboots
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040727/5cecd3ac/attachment.bin

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux