Bugtraq mailing list archives
Re: IRM Security Advisory 002: Netware Web Server Source Disclosure
From: Ulf Harnhammar <ulf () nic st>
Date: Fri, 21 Dec 2001 11:53:33 +0100 (CET)
On Thu, 20 Dec 2001, eNowak IGF remote wrote:
// only read file which is under the secure sewse path -- hence filtering ".." if ((argv[i]).indexOf("..") != -1) { return "Cannot read from insecure path."; }
This fix does not seem to allow people to use filenames that include the characters ".." (i e, "my_document..ulf.txt" is not valid). It is probably better to parse the file name, so you know what parts are directories and what part is the file name, and then check the directory parts for the exact strings "." and "..". ________________________________________ Ulf Härnhammar System Developer ST-Registry St Eriksgatan 117, E2 SE-113 43 Stockholm SWEDEN Telephone: +46 (0)8-545 476 04 Facsimile: +46 (0)8-32 63 33 E-mail: ulf () nic st Web: http://www.nic.st/ The STreet domain - your Internet address
Current thread:
- IRM Security Advisory 002: Netware Web Server Source Disclosure IRM Security Advisories (Dec 19)
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure Matthew Firth (Dec 20)
- <Possible follow-ups>
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure eNowak IGF remote (Dec 20)
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure Ulf Harnhammar (Dec 21)
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure Alun Jones (Dec 21)
- Re: IRM Security Advisory 002: Netware Web Server Source Disclosure Ulf Harnhammar (Dec 21)