Re: Creating file on login

[Brad Arlt <arlt () cpsc ucalgary ca>]

On Thu, Nov 27, 2003 at 08:34:46AM -0300, Fausto wrote:
>    I have a system that when one try to login it create a file with the 
> name of the user that tried to log.
>    The problem is that if the do not exists the system creates the file 
> with the invalid user...
>    Can we do some exploit in this case...??
>    Is this problem dangerous...

I am not sure an exploit is possible or practical.  A login name of
/etc/passwd or ../../../../../../passwd may not yield desirable results.

And there is of course the simple (and possible) DoS on your
filesystem where one just trys to login using random strings in an
attempt to use all inodes on the filesystem (or disk space, whichever
really...)

A single log file, using XML or other easily parsible tagging system
will yield the same result without the problems from above.

Or you could just sanitize usernames before using them as a filename -
sanitizing user input before you use it is always a good idea.
-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         Joyously Canadian               Computer Science

---------------------------------------------------------------------------
----------------------------------------------------------------------------