> mirror is a Perl script which is widely used for making copy of remote > FTP site. It's included in FreeBSD packages. There are security holes, > which allows overwrite local files from remote ftp site with > permissions of the user who uses mirror. Then retrieving directory > listing mirror doesn't check filename or directory name to contain > ".." or "\" This allows to create or overwrite files in directory > different from destination. > > To simply test this bug you can create " .." directory on your ftp > site and mirror your site. Mirror will create temporary files in > directory one level higher then specifyed. This way you couldn't > overwrite some useful information, but this may be used, for example, > to fill out / directory (if mirror is ran from root). > > But with putting little changes into you ftpd (for example making him > change '\' to '/' on listings) you can force mirror to overwrite _any_ > file with permissions of mirror user then he mirrors your ftp site. > > > Tested with: > $ mirror -v > $Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $ I can confirm the behaviour you describe for mirror.pl,v 2.8 running on solaris although I wasn't able to create any temporary files by using a "\" in either the file names or the directory names. However, the default mirror configuration shows the following part: # Don't touch anything whose name begins with a space! exclude_patt=(^|/)(.mirror$|.in..*.$|MIRROR.LOG|#.*#|.FSP|.cache|.zipped|lost+found/| ) (you might want to quote the space character at the end) Even the man page recommends using the line above. Be careful not to overwrite the keyword exclude_patt in your own mirror files. If you do have to use exclude_patt be sure to specify somethink like: exclude_patt+|^blah/| (note the "+" sign!) This should not allow temporary files to be created through " ..". At least it didn't on my system. :-) Cheers, Stefan. ______________________________________________________________________________ Stefan Kelm PGP key: "finger kelmat_private" or via key server DFN-PCA <kelmat_private> Vogt-Koelln-Str. 30 http://www.pca.dfn.de/~kelm/ 22527 Hamburg (Germany) Tel: +49 40 428 83-2262 / Fax: -2241
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:00 PDT