Re: [Lxr-dev] Random file opening vulnerability in LXR
Brought to you by:
ajlittoz
From: Giacomo A. C. <ca...@de...> - 2003-03-21 10:36:13
|
Malcolm Box wrote: > Hi Arne, > > Yes, I do want to publish updates. I'll do that tonight. > > For 0.9.2, I think we might need to look at how all the file accesses > are done, plus what we do with the other untrusted input. The problem is > deciding what the safe set is, because there have been plenty of reports > already that we're too strict in httpwash. > > I think the right thing is to only block ".." and force the filename to > be limited to the source root, and make sure we're not using the open() > call that interprets the filename in any way. > > But really this needs a security audit - any volunteers? If I understand correctly the vulnerability, it happen only because of the expantion on $v and $a, but the all possible values are already stored in some configuration files, so is it simple to chech that $v and $a are in the correct set of values, and that to manually (e.g. a simple string substitution) the variable expantion, instead of the normal perl expantion. BTW, FYI, the vulnerability is a candidate CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0156 BTW I view that some big project use LXR, whould you publish a list of such servers? If you are interested, I will try to compile the list. ciao giacomo |