| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Jun 2003 15:00:13 -0400 (EDT) From: "Steven M. Christey" <coley@...re.org> To: bugtraq@...urityfocus.com Subject: Re: TA-2003-06 Directory Transversal Vulnerability in iWeb Server There are so many variants to directory traversal vulnerabilities, especially in web servers and other software where encoding and canonicalization is such a factor, that I have seen a number of confusing cases such as this. It definitely helps when the researcher who discovers a new variant specifically references the old variant and says how the underlying problem is different. This doesn't seem to happen too frequently, though, and distinguishing between variants gets much more difficult when it is not known if the vendor has fixed the original variant. In this case, it looks like the programmer introduced what I call a "validate-before-canonicalize" error, for lack of a better term: the software may well strip ".." sequences from the input (the original bug), but the programmer does this cleansing *before* the operation that does the URL decoding (kind of like a new bug - performing operations in the wrong order). As programmers have slowly gotten better about avoiding the obvious directory traversal issues, these "validate-before-canonicalize" errors seem to be cropping up more frequently. - Steve
Powered by blists - more mailing lists