Bugtraq mailing list archives
Re: mirror 2.9 hole
From: kelm () PCA DFN DE (Stefan Kelm)
Date: Tue, 19 Oct 1999 17:23:35 +0200
mirror is a Perl script which is widely used for making copy of remote FTP site. It's included in FreeBSD packages. There are security holes, which allows overwrite local files from remote ftp site with permissions of the user who uses mirror. Then retrieving directory listing mirror doesn't check filename or directory name to contain ".." or "\" This allows to create or overwrite files in directory different from destination. To simply test this bug you can create " .." directory on your ftp site and mirror your site. Mirror will create temporary files in directory one level higher then specifyed. This way you couldn't overwrite some useful information, but this may be used, for example, to fill out / directory (if mirror is ran from root). But with putting little changes into you ftpd (for example making him change '\' to '/' on listings) you can force mirror to overwrite _any_ file with permissions of mirror user then he mirrors your ftp site. Tested with: $ mirror -v $Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $
I can confirm the behaviour you describe for mirror.pl,v 2.8 running on solaris although I wasn't able to create any temporary files by using a "\" in either the file names or the directory names. However, the default mirror configuration shows the following part: # Don't touch anything whose name begins with a space! exclude_patt=(^|/)(.mirror$|.in..*.$|MIRROR.LOG|#.*#|.FSP|.cache|.zipped|lost+found/| ) (you might want to quote the space character at the end) Even the man page recommends using the line above. Be careful not to overwrite the keyword exclude_patt in your own mirror files. If you do have to use exclude_patt be sure to specify somethink like: exclude_patt+|^blah/| (note the "+" sign!) This should not allow temporary files to be created through " ..". At least it didn't on my system. :-) Cheers, Stefan. ______________________________________________________________________________ Stefan Kelm PGP key: "finger kelm () www pca dfn de" or via key server DFN-PCA <kelm () pca dfn de> Vogt-Koelln-Str. 30 http://www.pca.dfn.de/~kelm/ 22527 Hamburg (Germany) Tel: +49 40 428 83-2262 / Fax: -2241
Current thread:
- Re: mirror 2.9 hole Stefan Kelm (Oct 19)
- Re: mirror 2.9 hole jcp (Oct 20)