| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200303110222.49651.ripe@7a69ezine.org> Date: Tue, 11 Mar 2003 02:22:49 +0100 From: Albert Puigsech Galicia <ripe@...9ezine.org> To: bugtraq@...urityfocus.com Subject: Cross-Referencing Linux vulnerability Info. ----- + Type: To gain visibility + Software: Cross-Referencing Linux. + Verions: until 0.9.2 + Exploit: Si. + Autor: Albert Puigsech Galicia + Contact: ripe@...9ezine.org Introduction. ------------- Cross-Referencing Linux, as known as LXR, allow read all linux kernel source using a web navigator. The aplication is writen using Perl languaje, and convert to HTML all linux kernel sources. For more information visit the project's oficial website on http://lxr.linux.nu. Description. ------------ LXR suports to navigate through various kernel version. The version is readed from 'v' variable, witch content are placed in the path used to open the file without filter the '..' special directory. Exploiting. ----------- In posible to read any file on systema as apache privileges getting up on tree directory sending malicious data to 'v' variable. Is necessary too, to finish the path with nul char to ignore the rest of the path, so we add %00 at the end of 'v'. An example of exploit call may be: http://vulnerable/source?v=../../../../../../../etc/password%00 Patch. ------ There aren't an oficial patch for a moment, but is too easy to put a regex filtering the '..' content when 'v' variable is read. -- >===================== > Albert Puigsech Galicia > > http://ripe.7a69ezine.org >=====================
Powered by blists - more mailing lists