lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.58.0310281515140.3513@mail.securityfocus.com>
Date: Tue, 28 Oct 2003 15:15:18 -0700 (MST)
From: Dave Ahmad <da@...urityfocus.com>
To: nRichard Brittain <richard@...thstar.dartmouth.edu>
Cc: dong-h0un U <xploit@...kermail.com>, bugtraq@...urityfocus.com,
   full-disclosure@...ts.netsys.com, vulnwatch@...nwatch.org
Subject: Re: sh-httpd `wildcard character' vulnerability




David Mirza Ahmad
Symantec

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
--
The battle for the past is for the future.
We must be the winners of the memory war.

On Tue, 28 Oct 2003, Richard Brittain wrote:

> On Mon, 27 Oct 2003, dong-h0un U wrote:
>
> > Vulnerabilty happens '*' because don't filtering.
> > Through this character, can know existence of files to directory.
> ...
>
> This patch prevents the globbing, but also breaks the proper action of the
> server because bname() no longer returns the filename.
> A better patch is to disable all globbing in the script by turning on the
> "-n" option in the shell.
>
> > --- sh-httpd-0.4/sh-httpd       Mon Oct  9 11:28:05 2000
> > +++ sh-httpd.patch      Sat Jul 19 08:51:44 2003
> > @@ -31,7 +31,7 @@
> >
> >  bname() {
> >         local IFS='/'
> > -       set -- $1
> > +       set -- "$1"
> >         eval rc="\$$#"
> >         [ "$rc" = "" ] && eval rc="\$$(($# - 1))"
> >         echo "$rc"
> > @@ -262,7 +262,7 @@
> >
> >         # Split URI into base and query string at ?
> >         IFS='?'
> > -       set -- $URI
> > +       set -- "$URI"
> >         QUERY_STRING="$2"
> >         URL="$1"
> >         IFS=$OIFS
> > @@ -292,7 +292,7 @@
> >         fi
> >
> >         DIR="`dname $URL`"
> > -       FILE="`bname $URL`"
> > +       FILE="`bname "$URL"`"
> >
> >         # Check for existance of directory
> >         if [ ! -d "$DOCROOT/$DIR" ]; then
> > === eof ===
>
> Richard Brittain,  Kiewit Computing Services, 6224 Baker/Berry Library
>                    Dartmouth College, Hanover NH 03755
> Email: richard.brittain@...tmouth.edu
>    or: faculty-workstation-support@...tmouth
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ