[21616] in bugtraq
Re: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities)
daemon@ATHENA.MIT.EDU (aland@striker.ottawa.on.ca)
Wed Jul 18 14:02:35 2001
To: bugtraq@securityfocus.com
In-Reply-To: Your message of "Wed, 18 Jul 2001 06:00:16 +0900."
<3B54A760.FEFB9844@yk.rim.or.jp>
Date: Wed, 18 Jul 2001 12:09:40 -0400
From: aland@striker.ottawa.on.ca
Message-Id: <E15MttN-0007Uj-00@giles.striker.ottawa.on.ca>
Ishikawa <ishikawa@yk.rim.or.jp> wrote:
> due to the problems mentioned,
> we should not forget that a famous browser client on
> Linux is similarly guilty.
>
> I tried the following URLs with
> my netscape browser under Linux.
>
> file:///dev/null
...
> file:///dev/zero
...
> file:///dev/pty0
A 'stat' of all of these files shows that they are not regular
files. There's no reason, them, to open them in the browser.
> If someone wants to be nasty, he/she can
> create a web page with
> URLs inside <IMG SRC="these device files" ....>
> listing DOS devices as well as these popular UNIX devices.
I question the wisdom of browsers which allow external web pages to
reference local files via 'file://' URLs.
> As someone mentioned, we can't predict what other
> device files may show up in the future by addition of
> new hardware drivers.
We also cannot predict where special files exist, either. Placing
the special file 'zero' in '/dev' is simply an administrative
convention on many Unix systems. Device files can exist anywhere.
> One may be tempted to block all the files below /dev inside
> the browser/servers.
> Could this be a cure for this problem under linux/UNIX?
No. The browsers should be using the 'fstat' function, prior to
opening any 'file://' URL. Regular files and directories should be
OK. Links should have their links de-referenced, and the linked-to
file 'fstat'ed also. Any other files should be ignored.
Alan DeKok.
