Your message dated Tue, 10 Oct 2006 15:11:39 +0200 with message-id <452B9C0B.2030300@antcom.de> and subject line CVE-2006-5050: Directory traversal vulnerability in httpd in busybox has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: CVE-2006-5050: Directory traversal vulnerability in httpd in busybox
- From: Stefan Fritsch <sf@sfritsch.de>
- Date: Sun, 01 Oct 2006 21:24:38 +0200
- Message-id: <[🔎] 20061001192438.24379.15283.reportbug@k.lan>
Package: busybox Severity: grave Tags: security Justification: user security hole A vulnerability has been found in busybox: Directory traversal vulnerability in httpd in Rob Landley BusyBox allows remote attackers to read arbitrary files via URL-encoded "%2e%2e/" sequences in the URI. Please mention the CVE id in the changelog.
--- End Message ---
--- Begin Message ---
- To: 390555-close@bugs.debian.org
- Subject: CVE-2006-5050: Directory traversal vulnerability in httpd in busybox
- From: Roland Stigge <stigge@antcom.de>
- Date: Tue, 10 Oct 2006 15:11:39 +0200
- Message-id: <452B9C0B.2030300@antcom.de>
Hi, I looked into this issue and discovered the following: Since I couldn't reproduce this problem (neither with current busybox 1.1.3-3 in Debian nor with historical 1.01 where the original report refers to), I looked at the respective networking/httpd.c: ======================================================================= [... decoding things like %2e ...] /* algorithm stolen from libbb bb_simplify_path(), but don`t strdup and reducing trailing slash and protect out root */ purl = test = url; do { if (*purl == '/') { if (*test == '/') { /* skip duplicate (or initial) slash */ continue; } else if (*test == '.') { if (test[1] == '/' || test[1] == 0) { /*skip extra '.'*/ continue; } else if ((test[1] == '.') && (test[2] == '/' || test[2] == 0)) { ++test; if (purl == url) { /* protect out root */ goto BAD_REQUEST; } while (*--purl != '/'); /* omit previous dir */ continue; } } } *++purl = *test; } while (*++test); [...] ======================================================================= Looks correct, works fine. Closing bug report. bye, Roland
--- End Message ---