Re: Security hole in Confixx backup script

[Dirk Pirschel <dirk () pirschel de>]

Hi,

* Dirk Pirschel wrote on Fri, 25 Jun 2004 at 15:08 +0200:

> A malicious backup request via the webinterface might be used by any
> user to read files located in /root (which is the default installation
> directory of confixx).

Confixx does a "cd $dir; tar czf ..." without any error checking.  If
the target directory does not exist, the backup is done in the current
working directory, which is /root.

It is possible to retrieve *any* directory by replacing $HOME/files or
$HOME/html with a symlink.

> If you are using confixx, you should disable the backup script.

-Dirk

-- 
Linux - Life is too short for reboots

Attachment: _bin
Description: