Re: [Lxr-dev] Random file opening vulnerability in LXR
Brought to you by:
ajlittoz
Menu
▾
▴
Re: [Lxr-dev] Random file opening vulnerability in LXR
|
From: Malcolm B. <ma...@br...> - 2003-03-21 10:15:11
|
Hi Arne,
Yes, I do want to publish updates. I'll do that tonight.
For 0.9.2, I think we might need to look at how all the file accesses
are done, plus what we do with the other untrusted input. The problem is
deciding what the safe set is, because there have been plenty of reports
already that we're too strict in httpwash.
I think the right thing is to only block ".." and force the filename to
be limited to the source root, and make sure we're not using the open()
call that interprets the filename in any way.
But really this needs a security audit - any volunteers?
Cheers,
Malcolm
Arne Georg Gleditsch wrote:
>Hi all,
>
>I've been alerted of a vulnerability in LXR 0.3 allowing an attacker
>to read random files on the hosting system as the http user.
>
>I've implemented a stop-gap fix on the lxr.linux.no site by patching
>lib/LXR/Config.pm as follows:
>
>--- lib/LXR/Config.pm 1998/04/30 11:58:17 1.3
>+++ lib/LXR/Config.pm 2003/03/10 09:13:32
>@@ -155,7 +155,9 @@
>
> sub varexpand {
> my ($self, $exp) = @_;
>- $exp =~ s/\$\{?(\w+)\}?/$self->{variable}->{$1}/g;
>+ $exp =~ s{\$\{?(\w+)\}?}{
>+ $self->{variable}->{$1} =~ /^([a-zA-Z0-9\.\-]*)$/ ? $1 : ''
>+ }ge;
> return($exp);
> }
>
>
>It looks like 0.9.2 is vulnerable, as well. Malcolm, do you want to
>publish updates to the download images on the sourceforge site?
>
>
> Arne.
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Lxr-developer mailing list
>Lxr...@li...
>https://lists.sourceforge.net/lists/listinfo/lxr-developer
>
>
>
|
