Ticket #479 (closed security: fixed)

Opened 7 years ago

Last modified 7 years ago

directory traversal and file read

Reported by: dmorton Owned by: dmorton
Priority: highest Milestone: 1.0.3
Component: PHP scripts Version: 1.0.1
Severity: critical Keywords:
Cc:

Description

Adriel T. Desautels from http://www.netragard.com reports that the "lang" variable is not verified and can be used to display system files. More details can be found in their advisory.

In addition to "lang", I also found "prevlang" and "super" that needed to have some verification done.

I was not able to replicate the attack on any Linux system, but the examples given to me appear to be FreeBSD. I suspect the real security flaw is in a php/filesystem issue on particular operating systems. It seems some systems handle "%00" as a null terminated string, and truncate the requested filename - returning a file other than what Maia requested.

Attachments

1184.diff (2.8 kB) - added by dmorton 7 years ago.
Patch file without DOS line endings…

Change History

Changed 7 years ago by dmorton

  • status changed from new to closed
  • resolution set to fixed

Whether or not the actual security breakdown is in the underlying OS, we need to defend against it. Fixed in [1184]

Changed 7 years ago by dmorton

Patch file without DOS line endings...

Note: See TracTickets for help on using tickets.