[23594] in bugtraq
Re: IRM Security Advisory 002: Netware Web Server Source
daemon@ATHENA.MIT.EDU (Alun Jones)
Fri Dec 21 14:42:05 2001
Message-Id: <4.3.2.7.2.20011221122448.01e4cd30@208.55.91.110>
Date: Fri, 21 Dec 2001 12:27:07 -0600
To: Ulf Harnhammar <ulf@nic.st>
From: Alun Jones <alun@texis.com>
Cc: eNowak IGF remote <nowak@rz.uni-frankfurt.de>, <bugtraq@securityfocus.com>
In-Reply-To: <Pine.LNX.4.33.0112211149340.18352-100000@ebola.iwerk.st>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 04:53 AM 12/21/2001, Ulf Harnhammar wrote:
>On Thu, 20 Dec 2001, eNowak IGF remote wrote:
>
> > // only read file which is under the secure sewse path -- hence
> filtering ".."
> > if ((argv[i]).indexOf("..") != -1)
> > { return "Cannot read from insecure path."; }
>
>This fix does not seem to allow people to use filenames that include the
>characters ".." (i e, "my_document..ulf.txt" is not valid). It is probably
>better to parse the file name, so you know what parts are directories and
>what part is the file name, and then check the directory parts for the
>exact strings "." and "..".
Better still, and more likely to catch things that you're not expecting, is
to construct the full absolute path of the target file, and compare _that_,
not the user's input, to a validation rule set.
Your own solution, for instance, doesn't catch certain OS's choice to use
"..." to represent "two directories up", nor does it catch "//" in the
middle of a path. Better to expand to a full path, and then do the comparison.
Alun.
~~~~
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.
