lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200306271900.h5RJ0DSS010873@linus.mitre.org>
Date: Fri, 27 Jun 2003 15:00:13 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Re: TA-2003-06 Directory Transversal Vulnerability in iWeb Server



There are so many variants to directory traversal vulnerabilities,
especially in web servers and other software where encoding and
canonicalization is such a factor, that I have seen a number of
confusing cases such as this.

It definitely helps when the researcher who discovers a new variant
specifically references the old variant and says how the underlying
problem is different.  This doesn't seem to happen too frequently,
though, and distinguishing between variants gets much more difficult
when it is not known if the vendor has fixed the original variant.

In this case, it looks like the programmer introduced what I call a
"validate-before-canonicalize" error, for lack of a better term: the
software may well strip ".."  sequences from the input (the original
bug), but the programmer does this cleansing *before* the operation
that does the URL decoding (kind of like a new bug - performing
operations in the wrong order).

As programmers have slowly gotten better about avoiding the obvious
directory traversal issues, these "validate-before-canonicalize"
errors seem to be cropping up more frequently.


- Steve


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ