[BusyBox 0001008]: httpd file traversal vulenrability
bugs at busybox.net
bugs at busybox.net
Fri Nov 10 23:22:20 UTC 2006
The following issue has been CLOSED
======================================================================
http://busybox.net/bugs/view.php?id=1008
======================================================================
Reported By: bug-finder
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 1008
Category: Security
Reproducibility: always
Severity: major
Priority: normal
Status: closed
Resolution: open
Fixed in Version:
======================================================================
Date Submitted: 08-24-2006 16:47 PDT
Last Modified: 11-10-2006 15:22 PST
======================================================================
Summary: httpd file traversal vulenrability
Description:
the http daemon is vulenrable to a file traversal attack which can be
easily exploited when a url encoded dot is used this can lead to total
system compromise I have tested this with busybox 1.01 and i dont know if
other versions are vulenrable.
======================================================================
----------------------------------------------------------------------
vda - 11-10-06 15:22
----------------------------------------------------------------------
Current svn is not exhibiting it. I think this code is guarding agains /../
attack:
/* algorithm stolen from libbb bb_simplify_path(),
but don't strdup and reducing trailing slash and
protect out root */
purl = test = url;
do {
if (*purl == '/') {
if (*test == '/') { /* skip
duplicate (or initial) slash */
continue;
} else if (*test == '.') {
if (test[1] == '/' || test[1] ==
0) { /* skip extra '.' */
continue;
} else if ((test[1] == '.') &&
(test[2] == '/' || test[2] == 0)) {
++test;
if (purl == url) {
/* protect out
root */
goto BAD_REQUEST;
}
while (*--purl != '/') /*
omit previous dir */;
continue;
}
}
}
*++purl = *test;
} while (*++test);
Issue History
Date Modified Username Field Change
======================================================================
08-24-06 16:47 bug-finder New Issue
08-24-06 16:47 bug-finder Status new => assigned
08-24-06 16:47 bug-finder Assigned To => BusyBox
11-10-06 15:22 vda Status assigned => closed
11-10-06 15:22 vda Note Added: 0001740
======================================================================
More information about the busybox-cvs
mailing list