Bug#390555: marked as done (CVE-2006-5050: Directory traversal vulnerability in httpd in busybox)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 10 Oct 2006 15:11:39 +0200
with message-id <452B9C0B.2030300@antcom.de>
and subject line CVE-2006-5050: Directory traversal vulnerability in httpd in busybox
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: CVE-2006-5050: Directory traversal vulnerability in httpd in busybox
• From: Stefan Fritsch <sf@sfritsch.de>
• Date: Sun, 01 Oct 2006 21:24:38 +0200
• Message-id: <[🔎] 20061001192438.24379.15283.reportbug@k.lan>

Package: busybox
Severity: grave
Tags: security
Justification: user security hole


A vulnerability has been found in busybox:

Directory traversal vulnerability in httpd in Rob Landley BusyBox
allows remote attackers to read arbitrary files via URL-encoded
"%2e%2e/" sequences in the URI.

Please mention the CVE id in the changelog.

--- End Message ---

--- Begin Message ---

• To: 390555-close@bugs.debian.org
• Subject: CVE-2006-5050: Directory traversal vulnerability in httpd in busybox
• From: Roland Stigge <stigge@antcom.de>
• Date: Tue, 10 Oct 2006 15:11:39 +0200
• Message-id: <452B9C0B.2030300@antcom.de>

Hi,

I looked into this issue and discovered the following: Since I couldn't
reproduce this problem (neither with current busybox 1.1.3-3 in Debian
nor with historical 1.01 where the original report refers to), I looked
at the respective networking/httpd.c:

=======================================================================
[... decoding things like %2e ...]
    /* algorithm stolen from libbb bb_simplify_path(),
       but don`t strdup and reducing trailing slash and protect out
       root */
    purl = test = url;

    do {
        if (*purl == '/') {
            if (*test == '/') { /* skip duplicate (or initial) slash */
                continue;
            } else if (*test == '.') {
                if (test[1] == '/' || test[1] == 0) { /*skip extra '.'*/
                    continue;
                } else if ((test[1] == '.') && (test[2] == '/' ||
                             test[2] == 0)) {
                    ++test;
                    if (purl == url) {
                        /* protect out root */
                        goto BAD_REQUEST;
                    }
                    while (*--purl != '/');    /* omit previous dir */
                    continue;
                }
            }
        }
        *++purl = *test;
    } while (*++test);
[...]
=======================================================================

Looks correct, works fine.

Closing bug report.

bye,
  Roland

--- End Message ---