Re: bozo .htpasswd exposure

[JP <rlntlss83%gmail.com@localhost>]

still seeing this. (after cvs update -C)

The request in question is "localhost/.htpasswd"

in check_bzredirect the first sprintf copies all except the first
charater (/ in this case) of hr_file to dir.  dir now = ".htpasswd".
basename then searches for "/" at the strrchr; the result is basename
= NULL before the if conditional (before check_special_files).  The if
conditional results in basename = "", the call to check_special_files
is called to search for "" resulting in passing the check resulting in
sending the file to the user.

I think strrchr/conditionals/check_special_files would succeed if we
sprintf'd from the root of hr_file, but I'm unsure if that would break
something else down the line.

The only thing I question is if I'm tracking current with the update
-C -- sorry for the email if I'm incorrect there.

J
On Wed, Nov 21, 2018 at 4:41 AM matthew green <mrg%eterna.com.au@localhost> wrote:
>
> OK, i've commited fixes for all these problems to -current.
>
> one additional comment:
>
> > (Additionally, the "|| basename[1]" part of the if clause seems to make
> > assumptions of the contents of basename[0] and it seems could lead to
> > bypassing the check_special_files call in the case of one-character-long
> > directory names; but this statement needs more research)
>
> this conditional sould be OK.  either basename is NULL or
> it points to a non-nul char of a nul-terminated string,
> so basename[1] should be valid to check.
>
> thanks again for your research finding flaws in bozohttpd.
>
>
> .mrg.