Opened 16 years ago

Closed 16 years ago

#479 closed security (fixed)

directory traversal and file read

Reported by: dmorton Owned by: dmorton
Priority: highest Milestone: 1.0.3
Component: PHP scripts Version: 1.0.1
Severity: critical Keywords:


Adriel T. Desautels from reports that the "lang" variable is not verified and can be used to display system files. More details can be found in their advisory.

In addition to "lang", I also found "prevlang" and "super" that needed to have some verification done.

I was not able to replicate the attack on any Linux system, but the examples given to me appear to be FreeBSD. I suspect the real security flaw is in a php/filesystem issue on particular operating systems. It seems some systems handle "%00" as a null terminated string, and truncate the requested filename - returning a file other than what Maia requested.

Attachments (1)

1184.diff (2.8 KB) - added by dmorton 16 years ago.
Patch file without DOS line endings…

Download all attachments as: .zip

Change History (2)

comment:1 Changed 16 years ago by dmorton

  • Resolution set to fixed
  • Status changed from new to closed

Whether or not the actual security breakdown is in the underlying OS, we need to defend against it. Fixed in [1184]

Changed 16 years ago by dmorton

Patch file without DOS line endings...

Note: See TracTickets for help on using tickets.