[21640] in bugtraq
RE: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabil
daemon@ATHENA.MIT.EDU (Cole, Timothy D.)
Thu Jul 19 12:42:08 2001
Message-ID: <D2044F13396BD511BABD00A0C927DADBAAB59D@xcgmd008.md.essd.northgrum.com>
From: "Cole, Timothy D." <timothy_d_cole@md.northgrum.com>
To: bugtraq@securityfocus.com
Date: Wed, 18 Jul 2001 14:23:43 -0400
MIME-Version: 1.0
Content-Type: text/plain
> -----Original Message-----
> From: aland@striker.ottawa.on.ca [SMTP:aland@striker.ottawa.on.ca]
> Sent: Wednesday, July 18, 2001 12:10
> To: bugtraq@securityfocus.com
> Subject: Re: Linux, too, sot of (Windows MS-DOS Device Name DoS
> vulnerabilities)
>
> Ishikawa <ishikawa@yk.rim.or.jp> wrote:
> > due to the problems mentioned,
> > we should not forget that a famous browser client on
> > Linux is similarly guilty.
> >
> > I tried the following URLs with
> > my netscape browser under Linux.
> >
> > file:///dev/null
> ...
> > file:///dev/zero
> ...
> > file:///dev/pty0
>
> A 'stat' of all of these files shows that they are not regular
> files. There's no reason, them, to open them in the browser.
>
> > If someone wants to be nasty, he/she can
> > create a web page with
> > URLs inside <IMG SRC="these device files" ....>
> > listing DOS devices as well as these popular UNIX devices.
>
> I question the wisdom of browsers which allow external web pages to
> reference local files via 'file://' URLs.
>
I agree; that's really the underlying problem. Checking for special
files is a band-aid fix that also limits flexibility.
References to 'local' URLs (file: and otherwise) from 'non-local'
documents should at least produce a confirmation dialog. Beyond that,
configurable policy facilities like those starting to show up in browsers
for cookies etc. would be nice.
> > As someone mentioned, we can't predict what other
> > device files may show up in the future by addition of
> > new hardware drivers.
>
> We also cannot predict where special files exist, either. Placing
> the special file 'zero' in '/dev' is simply an administrative
> convention on many Unix systems. Device files can exist anywhere.
>
On some kernels (HURD, or Linux/*BSD with userfs), normal files can
be equally "magic".
As a genral principle, regardless of platform, local paths may
encompass more than just 'dumb' files, so following 'remote' references to
them should be restricted.
