Re: sh-httpd `wildcard character' vulnerability

[Dave Ahmad <da () securityfocus com>]

David Mirza Ahmad
Symantec

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
--
The battle for the past is for the future.
We must be the winners of the memory war.

On Tue, 28 Oct 2003, Richard Brittain wrote:

> On Mon, 27 Oct 2003, dong-h0un U wrote:
>
> > Vulnerabilty happens '*' because don't filtering.
> > Through this character, can know existence of files to directory.
> ...
>
> This patch prevents the globbing, but also breaks the proper action of the
> server because bname() no longer returns the filename.
> A better patch is to disable all globbing in the script by turning on the
> "-n" option in the shell.
>
> > --- sh-httpd-0.4/sh-httpd       Mon Oct  9 11:28:05 2000
> > +++ sh-httpd.patch      Sat Jul 19 08:51:44 2003
> > @@ -31,7 +31,7 @@
> >
> >  bname() {
> >         local IFS='/'
> > -       set -- $1
> > +       set -- "$1"
> >         eval rc="\$$#"
> >         [ "$rc" = "" ] && eval rc="\$$(($# - 1))"
> >         echo "$rc"
> > @@ -262,7 +262,7 @@
> >
> >         # Split URI into base and query string at ?
> >         IFS='?'
> > -       set -- $URI
> > +       set -- "$URI"
> >         QUERY_STRING="$2"
> >         URL="$1"
> >         IFS=$OIFS
> > @@ -292,7 +292,7 @@
> >         fi
> >
> >         DIR="`dname $URL`"
> > -       FILE="`bname $URL`"
> > +       FILE="`bname "$URL"`"
> >
> >         # Check for existance of directory
> >         if [ ! -d "$DOCROOT/$DIR" ]; then
> > === eof ===
>
> Richard Brittain,  Kiewit Computing Services, 6224 Baker/Berry Library
>                    Dartmouth College, Hanover NH 03755
> Email: richard.brittain () dartmouth edu
>    or: faculty-workstation-support@dartmouth

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html