Re: IRM Security Advisory 002: Netware Web Server Source Disclosure

• Previous message: Geoff Sweet: "RE: Windows XP security concerns"
• In reply to: eNowak IGF remote: "Re: IRM Security Advisory 002: Netware Web Server Source Disclosure"
• Next in thread: Alun Jones: "Re: IRM Security Advisory 002: Netware Web Server Source Disclosure"
• Reply: Alun Jones: "Re: IRM Security Advisory 002: Netware Web Server Source Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 20 Dec 2001, eNowak IGF remote wrote:

>       // only read file which is under the secure sewse path -- hence filtering ".."
>       if ((argv[i]).indexOf("..") != -1)
>       { return "Cannot read from insecure path."; }

This fix does not seem to allow people to use filenames that include the 
characters ".." (i e, "my_document..ulf.txt" is not valid). It is probably 
better to parse the file name, so you know what parts are directories and 
what part is the file name, and then check the directory parts for the 
exact strings "." and "..".

________________________________________
Ulf Härnhammar
System Developer

ST-Registry
St Eriksgatan 117, E2
SE-113 43 Stockholm
SWEDEN

Telephone:	+46 (0)8-545 476 04
Facsimile:	+46 (0)8-32 63 33

E-mail:	ulfat_private
Web: http://www.nic.st/

The STreet domain - your Internet address

• Next message: Solar Designer: "Re: [Global InterSec 2001121001] glibc globbing issues."
• Previous message: Geoff Sweet: "RE: Windows XP security concerns"
• In reply to: eNowak IGF remote: "Re: IRM Security Advisory 002: Netware Web Server Source Disclosure"
• Next in thread: Alun Jones: "Re: IRM Security Advisory 002: Netware Web Server Source Disclosure"
• Reply: Alun Jones: "Re: IRM Security Advisory 002: Netware Web Server Source Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 21 2001 - 12:14:49 PST