Bug#516829: Http double slash request arbitrary file access vulnerability
Hi,
here is a copy of an email I wrote today:
Mehdi Dogguy schrieb:
> > Hello,
> >
> > I'm trying to understand why the submitted patch is enough to fix the
> > issue. More particularly, how /../ are removed from the url?
> >
> > Cheers,
> >
Hi,
the fix for MLDonkey consists of two parts, first this patch which
removes leading slashes from the path/filename-part of an URL:
http://cvs.savannah.gnu.org/viewvc/mldonkey/src/utils/lib/url.ml?root=mldonkey&r1=1.9&r2=1.10
This fixes http://mldonkey:4080//etc/passwd style attacks.
This was not enough however to fix the problem so I added this patch:
http://cvs.savannah.gnu.org/viewvc/mldonkey/src/daemon/driver/driverControlers.ml?root=mldonkey&r1=1.113&r2=1.114
The old code worked like this:
If the file requested is not an MLDonkey command or an otherwise
internally defined file this code was called:
| s -> http_send_bin r buf (String.lowercase s)
The function http_send_bin was extended in MLDonkey 2.8.4 to
check the internal commonPictures database which contains country
flags, if a file was not found there, File.to_string was called which
reads files from the local filesystem -> bad idea.
So, the problem was created when country flags were added to
MLDonkey.
I changed the code shown above to
| s -> http_send_bin_pictures r buf (String.lowercase s)
http_send_bin_pictures is basically the same function as
http_send_bin, but it only checks the commonPictures database
and does not read any files from the local disc - > problem solved.
Cheers, spiralvoice
______________________________________________________________________________
Nur bis 16.03.! DSL-Komplettanschluss inkl. WLAN-Modem für nur 17,95 EURO/mtl.
+ 1 Monat gratis!* http://dsl.web.de/?ac=OM.AD.AD008K15039B7069a
Reply to: