Bugtraq mailing list archives
Re: sh-httpd `wildcard character' vulnerability
From: Richard Brittain <richard () northstar dartmouth edu>
Date: Tue, 28 Oct 2003 15:33:53 -0500 (EST)
On Mon, 27 Oct 2003, dong-h0un U wrote:
Vulnerabilty happens '*' because don't filtering. Through this character, can know existence of files to directory.
... This patch prevents the globbing, but also breaks the proper action of the server because bname() no longer returns the filename. A better patch is to disable all globbing in the script by turning on the "-n" option in the shell.
--- sh-httpd-0.4/sh-httpd Mon Oct 9 11:28:05 2000 +++ sh-httpd.patch Sat Jul 19 08:51:44 2003 @@ -31,7 +31,7 @@ bname() { local IFS='/' - set -- $1 + set -- "$1" eval rc="\$$#" [ "$rc" = "" ] && eval rc="\$$(($# - 1))" echo "$rc" @@ -262,7 +262,7 @@ # Split URI into base and query string at ? IFS='?' - set -- $URI + set -- "$URI" QUERY_STRING="$2" URL="$1" IFS=$OIFS @@ -292,7 +292,7 @@ fi DIR="`dname $URL`" - FILE="`bname $URL`" + FILE="`bname "$URL"`" # Check for existance of directory if [ ! -d "$DOCROOT/$DIR" ]; then === eof ===
Richard Brittain, Kiewit Computing Services, 6224 Baker/Berry Library Dartmouth College, Hanover NH 03755 Email: richard.brittain () dartmouth edu or: faculty-workstation-support@dartmouth
Current thread:
- sh-httpd `wildcard character' vulnerability dong-h0un U (Oct 27)
- Re: sh-httpd `wildcard character' vulnerability Richard Brittain (Oct 28)