Home page logo
/

basics logo Security Basics mailing list archives

Re: Creating file on login
From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Thu, 27 Nov 2003 10:56:08 -0700

On Thu, Nov 27, 2003 at 08:34:46AM -0300, Fausto wrote:
   I have a system that when one try to login it create a file with the 
name of the user that tried to log.
   The problem is that if the do not exists the system creates the file 
with the invalid user...
   Can we do some exploit in this case...??
   Is this problem dangerous...

I am not sure an exploit is possible or practical.  A login name of
/etc/passwd or ../../../../../../passwd may not yield desirable results.

And there is of course the simple (and possible) DoS on your
filesystem where one just trys to login using random strings in an
attempt to use all inodes on the filesystem (or disk space, whichever
really...)

A single log file, using XML or other easily parsible tagging system
will yield the same result without the problems from above.

Or you could just sanitize usernames before using them as a filename -
sanitizing user input before you use it is always a good idea.
-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         Joyously Canadian               Computer Science

---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault