Full Disclosure mailing list archives
Re: sh-httpd `wildcard character' vulnerability
From: Dave Ahmad <da () securityfocus com>
Date: Tue, 28 Oct 2003 15:15:18 -0700 (MST)
David Mirza Ahmad Symantec PGP: 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 -- The battle for the past is for the future. We must be the winners of the memory war. On Tue, 28 Oct 2003, Richard Brittain wrote:
On Mon, 27 Oct 2003, dong-h0un U wrote:Vulnerabilty happens '*' because don't filtering. Through this character, can know existence of files to directory.... This patch prevents the globbing, but also breaks the proper action of the server because bname() no longer returns the filename. A better patch is to disable all globbing in the script by turning on the "-n" option in the shell.--- sh-httpd-0.4/sh-httpd Mon Oct 9 11:28:05 2000 +++ sh-httpd.patch Sat Jul 19 08:51:44 2003 @@ -31,7 +31,7 @@ bname() { local IFS='/' - set -- $1 + set -- "$1" eval rc="\$$#" [ "$rc" = "" ] && eval rc="\$$(($# - 1))" echo "$rc" @@ -262,7 +262,7 @@ # Split URI into base and query string at ? IFS='?' - set -- $URI + set -- "$URI" QUERY_STRING="$2" URL="$1" IFS=$OIFS @@ -292,7 +292,7 @@ fi DIR="`dname $URL`" - FILE="`bname $URL`" + FILE="`bname "$URL"`" # Check for existance of directory if [ ! -d "$DOCROOT/$DIR" ]; then === eof ===Richard Brittain, Kiewit Computing Services, 6224 Baker/Berry Library Dartmouth College, Hanover NH 03755 Email: richard.brittain () dartmouth edu or: faculty-workstation-support@dartmouth
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- sh-httpd `wildcard character' vulnerability dong-h0un U (Oct 27)
- Re: sh-httpd `wildcard character' vulnerability Thomas Binder (Oct 27)
- Re: sh-httpd `wildcard character' vulnerability Richard Brittain (Oct 28)
- Re: sh-httpd `wildcard character' vulnerability Dave Ahmad (Oct 28)