Bugtraq mailing list archives
Re: mirror 2.9 hole
From: lists () MISTY EUNET PT (jcp)
Date: Wed, 20 Oct 1999 14:25:50 +0100
version stats: $Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $ The author of mirror, Lee McLoughlin, had this to say: ... <QUOTE> Anyhow. A simple fix to overcome this problem is to add the following to your mirror.defaults (and to any package that overrides this setting): name_mappings=s:\.\./:__/:g This should convert names like: " ../rot" to " __/rot" BUT I'VE NOT TESTED THIS! </QUOTE> ... I also didn't test this.I did make a quick patch to the mirror.pl script to warn/log about attempts. Patch included. regards -- Jose' Carlos Pereira On Tue, 19 Oct 1999, Stefan Kelm wrote: [snip]
I can confirm the behaviour you describe for mirror.pl,v 2.8 running on solaris although I wasn't able to create any temporary files by using a "\" in either the file names or the directory names. However, the default mirror configuration shows the following part: # Don't touch anything whose name begins with a space! exclude_patt=(^|/)(.mirror$|.in..*.$|MIRROR.LOG|#.*#|.FSP|.cache|.zipped|lost+found/| ) (you might want to quote the space character at the end) Even the man page recommends using the line above. Be careful not to overwrite the keyword exclude_patt in your own mirror files. If you do have to use exclude_patt be sure to specify somethink like: exclude_patt+|^blah/| (note the "+" sign!) This should not allow temporary files to be created through " ..". At least it didn't on my system. :-) Cheers, Stefan.
*** mirror.pl Mon Jun 8 11:55:27 1998 --- /usr/local/mirror2.9/mirror Wed Sep 29 16:34:01 1999 *************** *** 2657,2662 **** --- 2657,2701 ---- $no_rename = (! $remote_has_rename) || ($remote_fs eq 'macos' && ! $get_file); foreach $src_path ( @xfer_src ){ + + ## + #BEGIN jcp () EUnet pt 1999/09/29 + # + #Date: Tue, 28 Sep 1999 18:27:54 +0400 + #From: 3APA3A <wise () tomcat ru> + #To: BUGTRAQ () SECURITYFOCUS COM + #Subject: mirror 2.9 hole + # + #Hello BUGTRAQ () SECURITYFOCUS COM, + # + #mirror is a Perl script which is widely used for making copy of remote + #FTP site. It's included in FreeBSD packages. There are security holes, + #which allows overwrite local files from remote ftp site with + #permissions of the user who uses mirror. Then retrieving directory + #listing mirror doesn't check filename or directory name to contain + #".." or "\" This allows to create or overwrite files in directory + #different from destination. + # + #To simply test this bug you can create " .." directory on your ftp + #site and mirror your site. Mirror will create temporary files in + #directory one level higher then specifyed. This way you couldn't + #overwrite some useful information, but this may be used, for example, + #to fill out / directory (if mirror is ran from root). + # + #But with putting little changes into you ftpd (for example making him + #change '\' to '/' on listings) you can force mirror to overwrite _any_ + #file with permissions of mirror user then he mirrors your ftp site. + # + # + #Tested with: + #$ mirror -v + #$Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $ + + if( $src_path =~ /\w*\.\.\//){ + &msg( $log, "WARNING: BAD dir detected, skipping: $src_path\n" ); + next; + } + #END jcp () EUnet pt if( $get_file ){ $srci = $remote_map{ $src_path }; }
Current thread:
- Re: mirror 2.9 hole Stefan Kelm (Oct 19)
- Re: mirror 2.9 hole jcp (Oct 20)