tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bozo .htpasswd exposure
still seeing this. (after cvs update -C)
The request in question is "localhost/.htpasswd"
in check_bzredirect the first sprintf copies all except the first
charater (/ in this case) of hr_file to dir. dir now = ".htpasswd".
basename then searches for "/" at the strrchr; the result is basename
= NULL before the if conditional (before check_special_files). The if
conditional results in basename = "", the call to check_special_files
is called to search for "" resulting in passing the check resulting in
sending the file to the user.
I think strrchr/conditionals/check_special_files would succeed if we
sprintf'd from the root of hr_file, but I'm unsure if that would break
something else down the line.
The only thing I question is if I'm tracking current with the update
-C -- sorry for the email if I'm incorrect there.
J
On Wed, Nov 21, 2018 at 4:41 AM matthew green <mrg%eterna.com.au@localhost> wrote:
>
> OK, i've commited fixes for all these problems to -current.
>
> one additional comment:
>
> > (Additionally, the "|| basename[1]" part of the if clause seems to make
> > assumptions of the contents of basename[0] and it seems could lead to
> > bypassing the check_special_files call in the case of one-character-long
> > directory names; but this statement needs more research)
>
> this conditional sould be OK. either basename is NULL or
> it points to a non-nul char of a nul-terminated string,
> so basename[1] should be valid to check.
>
> thanks again for your research finding flaws in bozohttpd.
>
>
> .mrg.
Home |
Main Index |
Thread Index |
Old Index