On Fri, Dec 28, 2001 at 01:25:25AM -0500, Chris Gragsone wrote: > Vim backup Source Disclosure Vulnerability > Affected Software: > Vim Bah! > This is not a software bug rather a misconfiguration or administrative > oversight. > This vulnerability has been tested > with PHP4 on Apache, but should affect all other scripts which are > routinely edited in the manner. ...and which reside in the doc root. Stuff your application code inside ScriptAlias directories and any backup copies will either be executed, or generate errors, depending on their permission bits. > Vulnerability Reproduction: > with Vim 4.0 and later: http://footclan.realwarp.net/passwd.php~ > with Vim 3.0 and earlier: http://footclan.realwarp.net/passwd.php.bak There's not really anything new here, and *absolutely no reason* to name this "advisory" as if it's a problem with 'vim'. Many text editors, including vim's supposed nemesis emacs, have similar behaviors. As a friend of mine likes to say, if there's a problem here, it lies between the chair and keyboard. :-) If you want to be helpful, suggest a real fix, eh? The basic problem here is that some fool is saving new files to the document root, and the httpd has been configured to publish anything it can find and read in its document root. One way to guard against accidental leakage like this is to configure the httpd to only serve objects whose extensions (and, therefore, MIME types) are recognized. Here's how you can easily do it for Netscape Enterprise Server/iPlanet Web Server (in obj.conf): # *replace* your current "force-type" ObjectType directive with one # that flags unrecognized extensions with a special MIME type ObjectType fn="force-type" type="magnus-internal/unknown" # Now we tell the httpd to error out for unrecognized extensions; # the "path" should *not* exist; this will make the server respond with # a 404/Not Found error for any unrecognized extension; this needs to # come before any other Service directives whose "type" arguments # would match "magnus-internal/unknown" Service fn="send-error" type="magnus-internal/unknown" path="/bogus" I'm not sure how much work would be required to do similar things for Apache, AOLServer, or other httpds. Of course if your text editor saves with a suffix that's listed in your MIME type configuration, or uses a prefix (Allaire HomeSite, anyone?), or perhaps if your httpd tries to "magically" determine an object's MIME type, or the backup file is in a CGI directory and the editor saves the backup w/ the execute bits on, well, this approach won't save you from that. I mean, the underlying problem lies with how the content is managed and updated. Bottom line is you shouldn't put anything on a public httpd that you don't want, umm, public. -Peter Happy holidays & new year to all, especially Harlan
This archive was generated by hypermail 2b30 : Fri Dec 28 2001 - 18:40:47 PST