[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0310281515140.3513@mail.securityfocus.com>
From: da at securityfocus.com (Dave Ahmad)
Subject: Re: sh-httpd `wildcard character' vulnerability
David Mirza Ahmad
Symantec
PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
--
The battle for the past is for the future.
We must be the winners of the memory war.
On Tue, 28 Oct 2003, Richard Brittain wrote:
> On Mon, 27 Oct 2003, dong-h0un U wrote:
>
> > Vulnerabilty happens '*' because don't filtering.
> > Through this character, can know existence of files to directory.
> ...
>
> This patch prevents the globbing, but also breaks the proper action of the
> server because bname() no longer returns the filename.
> A better patch is to disable all globbing in the script by turning on the
> "-n" option in the shell.
>
> > --- sh-httpd-0.4/sh-httpd Mon Oct 9 11:28:05 2000
> > +++ sh-httpd.patch Sat Jul 19 08:51:44 2003
> > @@ -31,7 +31,7 @@
> >
> > bname() {
> > local IFS='/'
> > - set -- $1
> > + set -- "$1"
> > eval rc="\$$#"
> > [ "$rc" = "" ] && eval rc="\$$(($# - 1))"
> > echo "$rc"
> > @@ -262,7 +262,7 @@
> >
> > # Split URI into base and query string at ?
> > IFS='?'
> > - set -- $URI
> > + set -- "$URI"
> > QUERY_STRING="$2"
> > URL="$1"
> > IFS=$OIFS
> > @@ -292,7 +292,7 @@
> > fi
> >
> > DIR="`dname $URL`"
> > - FILE="`bname $URL`"
> > + FILE="`bname "$URL"`"
> >
> > # Check for existance of directory
> > if [ ! -d "$DOCROOT/$DIR" ]; then
> > === eof ===
>
> Richard Brittain, Kiewit Computing Services, 6224 Baker/Berry Library
> Dartmouth College, Hanover NH 03755
> Email: richard.brittain@...tmouth.edu
> or: faculty-workstation-support@...tmouth
>
>
>
Powered by blists - more mailing lists