[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: FreeBSD suggests not to use lynx.

Andreas Tille wrote:
> >   if [ -f /tmp/$$.html ]; then
> >       rm -f /tmp/$$.html
> >   fi
> >   /usr/lib/cgi-bin/dsearch $1 | \
> > 	    sed 's/\/doc/\/usr\/share\/doc/g' > /tmp/$$.html
> Could you be so kind for unclever people like me to explain this
> anywhere (may be on devel) how this would work.  I don't see the relation
> between /tmp/$$.html and would like to understand the problem to avoid
> such cases i my own programs.

It's quite simple. An attacker merely guesses what pid the script will run
with, and makes a /tmp/<pid>.html file that is a link to, say, /etc/passwd.

The attacker then enters a tight loop, looking at the file (it might help
you to thisk of it forking off about 50 attackers, all doing this). If it is
deleted, it replaces it with the same link.

1 When the script runs, it deletes the file. 
2 With luck, the attacker runs at the right time, and replaces it.
3 The script echos some text to the file. Which is a symlink to /etc/passwd, and
  results in /etc/passwd being trashed.

See any introductory security text for details.

see shy jo

Reply to: