Opened 16 years ago
Closed 16 years ago
#479 closed security (fixed)
directory traversal and file read
| Reported by: | dmorton | Owned by: | dmorton |
|---|---|---|---|
| Priority: | highest | Milestone: | 1.0.3 |
| Component: | PHP scripts | Version: | 1.0.1 |
| Severity: | critical | Keywords: | |
| Cc: |
Description
Adriel T. Desautels from http://www.netragard.com reports that the "lang" variable is not verified and can be used to display system files. More details can be found in their advisory.
In addition to "lang", I also found "prevlang" and "super" that needed to have some verification done.
I was not able to replicate the attack on any Linux system, but the examples given to me appear to be FreeBSD. I suspect the real security flaw is in a php/filesystem issue on particular operating systems. It seems some systems handle "%00" as a null terminated string, and truncate the requested filename - returning a file other than what Maia requested.
Attachments (1)
Change History (2)
comment:1 Changed 16 years ago by dmorton
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
Whether or not the actual security breakdown is in the underlying OS, we need to defend against it. Fixed in [1184]