Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabil ities)

From: "Cole, Timothy D." <timothy_d_cole () md northgrum com>
Date: Wed, 18 Jul 2001 14:23:43 -0400
-----Original Message-----
From: aland () striker ottawa on ca [SMTP:aland () striker ottawa on ca]
Sent: Wednesday, July 18, 2001 12:10
To:   bugtraq () securityfocus com
Subject:      Re: Linux, too, sot of (Windows MS-DOS Device Name DoS
vulnerabilities) 

Ishikawa <ishikawa () yk rim or jp> wrote:

due to the problems mentioned,
we should not forget that a famous browser client on
Linux is similarly guilty.

I tried the following URLs with
my netscape browser under Linux.

    file:///dev/null

...

    file:///dev/zero

...

    file:///dev/pty0


  A 'stat' of all of these files shows that they are not regular
files.  There's no reason, them, to open them in the browser.


If someone wants to be nasty, he/she can
create a web page with
URLs inside <IMG SRC="these device files" ....>
listing DOS devices as well as these popular UNIX devices.


  I question the wisdom of browsers which allow external web pages to
reference local files via 'file://' URLs.


        I agree; that's really the underlying problem.  Checking for special
files is a band-aid fix that also limits flexibility.

        References to 'local' URLs (file: and otherwise) from 'non-local'
documents should at least produce a confirmation dialog.  Beyond that,
configurable policy facilities like those starting to show up in browsers
for cookies etc. would be nice.


As someone mentioned, we can't predict what other
device files may show up in the future by addition of
new hardware drivers.


  We also cannot predict where special files exist, either.  Placing
the special file 'zero' in '/dev' is simply an administrative
convention on many Unix systems.  Device files can exist anywhere.


        On some kernels (HURD, or Linux/*BSD with userfs), normal files can
be equally "magic".

        As a genral principle, regardless of platform, local paths may
encompass more than just 'dumb' files, so following 'remote' references to
them should be restricted.
Previous By Date Next
Previous By Thread Next

Current thread: