Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE request: ruby file creation due in insertion of illegal NUL character
From: Eitan Adler <lists () eitanadler com>
Date: Wed, 17 Oct 2012 13:39:18 -0400

On 17 October 2012 13:31, Simon McVittie <smcv () debian org> wrote:
As you imply, that pseudocode is a bad idea anyway: the webapp should
be ensuring that the filenames match a pattern more like
/^[A-Za-z0-9_]\.jpg$/ (or not allowing user-controlled filenames at
all), and/or the web server should be configured so it never trusts
files in the uploads directory (either as executable code or something
like .htaccess).

Anything vulnerable to this sort of trickery is probably vulnerable to
file-overwriting attacks via "../" path segments, too.

What if they ensure this sort of safety via some other mechanism?
(chroot for example)
What if they take the file name to be "anything after the final /" ?

I could see some instances, albeit contrived, where an application
might be vulnerable to this sort of attack, but not vulnerable to
generic path traversal.

Eitan Adler

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]