[32204] in bugtraq
Re: sh-httpd `wildcard character' vulnerability
daemon@ATHENA.MIT.EDU (Richard Brittain)
Tue Oct 28 18:11:48 2003
Date: Tue, 28 Oct 2003 15:33:53 -0500 (EST)
From: Richard Brittain <richard@northstar.dartmouth.edu>
To: dong-h0un U <xploit@hackermail.com>
Cc: <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>,
<vulnwatch@vulnwatch.org>
In-Reply-To: <20031027144245.18220.qmail@hackermail.com>
Message-ID: <Pine.GSO.4.33.0310281525160.22635-100000@sunray>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Mon, 27 Oct 2003, dong-h0un U wrote:
> Vulnerabilty happens '*' because don't filtering.
> Through this character, can know existence of files to directory.
...
This patch prevents the globbing, but also breaks the proper action of the
server because bname() no longer returns the filename.
A better patch is to disable all globbing in the script by turning on the
"-n" option in the shell.
> --- sh-httpd-0.4/sh-httpd Mon Oct 9 11:28:05 2000
> +++ sh-httpd.patch Sat Jul 19 08:51:44 2003
> @@ -31,7 +31,7 @@
>
> bname() {
> local IFS='/'
> - set -- $1
> + set -- "$1"
> eval rc="\$$#"
> [ "$rc" = "" ] && eval rc="\$$(($# - 1))"
> echo "$rc"
> @@ -262,7 +262,7 @@
>
> # Split URI into base and query string at ?
> IFS='?'
> - set -- $URI
> + set -- "$URI"
> QUERY_STRING="$2"
> URL="$1"
> IFS=$OIFS
> @@ -292,7 +292,7 @@
> fi
>
> DIR="`dname $URL`"
> - FILE="`bname $URL`"
> + FILE="`bname "$URL"`"
>
> # Check for existance of directory
> if [ ! -d "$DOCROOT/$DIR" ]; then
> === eof ===
Richard Brittain, Kiewit Computing Services, 6224 Baker/Berry Library
Dartmouth College, Hanover NH 03755
Email: richard.brittain@dartmouth.edu
or: faculty-workstation-support@dartmouth
