Customizing SMF > SMF Coding Discussion
Possible Security Hole in Package Manager!
trparky:
Version: SMF 1.0 Beta 4 Public
There is no sanity check in the "Subs-Package.php" file in the "tar_gz_file" function for the incoming variable known as "$destination". There should be at least a check to make sure that the destination is not excaping outside of the SimpleMachines Installation Folder. It can be easily done by illiminatiing any "../"s from the "$destination" string.
Of course, this may break some Packages that rely on upon the "../" string to breakout of the extraction temp folder.
The reason why this vulnerablility can be dangerous is that perhaps someone could write a "Package" and traverse all the way back through the tree to the root "/".
trparky:
There is also a possbility that the "tar_gz_data" function in the same file suffers from the same vulnerabilty.
David:
Thanks, I'm sure a dev will look into this sometime today. In terms of exploitability, I would rate it fairly low as it requires an admin to first upload a rogue package.
Douglas:
--- Quote from: trparky on March 20, 2004, 11:17:19 AM ---The reason why this vulnerablility can be dangerous is that perhaps someone could write a "Package" and traverse all the way back through the tree to the root "/".
--- End quote ---
Not if the Server Admin was responsible and disabled routine access like that. :)
trparky:
Yes, I understand both points, I am not going to deny that it would take some doing to exploit this. But, we have to think about this for a moment.
Not all web users are programmers, not all web-admins are created equal, meaning....not all web users and web-admins are security geniuses. In other words, don't underestimate anything, especially the stupidity of the end user!
If every web user was smart, we would not have the massive email worms that are now floating around the Internet. What are we up to now, Bagel Revision S? See what I mean? We have to account for everything!
Navigation
[0] Message Index
[#] Next page
Go to full version