Bugtraq mailing list archives
Re: IRM Security Advisory 002: Netware Web Server Source Disclosure
From: Alun Jones <alun () texis com>
Date: Fri, 21 Dec 2001 12:27:07 -0600
At 04:53 AM 12/21/2001, Ulf Harnhammar wrote:
On Thu, 20 Dec 2001, eNowak IGF remote wrote:> // only read file which is under the secure sewse path -- hence filtering ".."> if ((argv[i]).indexOf("..") != -1) > { return "Cannot read from insecure path."; } This fix does not seem to allow people to use filenames that include the characters ".." (i e, "my_document..ulf.txt" is not valid). It is probably better to parse the file name, so you know what parts are directories and what part is the file name, and then check the directory parts for the exact strings "." and "..".
Better still, and more likely to catch things that you're not expecting, is to construct the full absolute path of the target file, and compare _that_, not the user's input, to a validation rule set.
Your own solution, for instance, doesn't catch certain OS's choice to use "..." to represent "two directories up", nor does it catch "//" in the middle of a path. Better to expand to a full path, and then do the comparison.
Alun. ~~~~ -- Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at 1602 Harvest Moon Place | http://www.wftpd.com or email alun () texis com Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.
Current thread:
- IRM Security Advisory 002: Netware Web Server Source Disclosure IRM Security Advisories (Dec 19)
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure Matthew Firth (Dec 20)
- <Possible follow-ups>
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure eNowak IGF remote (Dec 20)
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure Ulf Harnhammar (Dec 21)
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure Alun Jones (Dec 21)
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure Ulf Harnhammar (Dec 21)