oss-sec mailing list archives
Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack
From: Pierre Joye <pierre.php () gmail com>
Date: Tue, 1 Mar 2011 13:21:46 +0100
On Tue, Mar 1, 2011 at 1:19 PM, Dan Rosenberg <dan.j.rosenberg () gmail com> wrote:
The easiest way is to just open the target with the O_NOFOLLOW flag to avoid following symlinks and abort on failure. If you need to support systems that don't have this flag, then perhaps you could consider using an application-specific temporary directory instead of operating in the world-writable /tmp.
In php, hard to do. But that's something we should keep in mind, maybe we can expose this flag somehow.
Also, I don't see a reason why a hard link couldn't be used for exploitation instead.Hard link are not detectable (lstat), they are treated like normal files.Sure they are - just open the file, fstat() it,
+from PHP script. -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Current thread:
- CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Feb 28)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Dan Rosenberg (Feb 28)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Pierre Joye (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Vincent Danen (Mar 03)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Dan Rosenberg (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Pierre Joye (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 08)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Vincent Danen (Mar 11)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Pierre Joye (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Dan Rosenberg (Feb 28)