|
Bugtraq
mailing list archives
Re: sh-httpd `wildcard character' vulnerability
From: Richard Brittain <richard () northstar dartmouth edu>
Date: Tue, 28 Oct 2003 15:33:53 -0500 (EST)
On Mon, 27 Oct 2003, dong-h0un U wrote:
Vulnerabilty happens '*' because don't filtering.
Through this character, can know existence of files to directory.
...
This patch prevents the globbing, but also breaks the proper action of the
server because bname() no longer returns the filename.
A better patch is to disable all globbing in the script by turning on the
"-n" option in the shell.
--- sh-httpd-0.4/sh-httpd Mon Oct 9 11:28:05 2000
+++ sh-httpd.patch Sat Jul 19 08:51:44 2003
@@ -31,7 +31,7 @@
bname() {
local IFS='/'
- set -- $1
+ set -- "$1"
eval rc="\$$#"
[ "$rc" = "" ] && eval rc="\$$(($# - 1))"
echo "$rc"
@@ -262,7 +262,7 @@
# Split URI into base and query string at ?
IFS='?'
- set -- $URI
+ set -- "$URI"
QUERY_STRING="$2"
URL="$1"
IFS=$OIFS
@@ -292,7 +292,7 @@
fi
DIR="`dname $URL`"
- FILE="`bname $URL`"
+ FILE="`bname "$URL"`"
# Check for existance of directory
if [ ! -d "$DOCROOT/$DIR" ]; then
=== eof ===
Richard Brittain, Kiewit Computing Services, 6224 Baker/Berry Library
Dartmouth College, Hanover NH 03755
Email: richard.brittain () dartmouth edu
or: faculty-workstation-support () dartmouth
 By Date 
By Thread
Current thread:
| 
Intro
