Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAF6rxgk20-9R7LczRPC87JhTeGbFx-jr_J1u2sqZ+73zL+TUYQ@mail.gmail.com>
Date: Wed, 17 Oct 2012 13:39:18 -0400
From: Eitan Adler <lists@...anadler.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: ruby file creation due in insertion
 of illegal NUL character

On 17 October 2012 13:31, Simon McVittie <smcv@...ian.org> wrote:
> As you imply, that pseudocode is a bad idea anyway: the webapp should
> be ensuring that the filenames match a pattern more like
> /^[A-Za-z0-9_]\.jpg$/ (or not allowing user-controlled filenames at
> all), and/or the web server should be configured so it never trusts
> files in the uploads directory (either as executable code or something
> like .htaccess).

> Anything vulnerable to this sort of trickery is probably vulnerable to
> file-overwriting attacks via "../" path segments, too.

What if they ensure this sort of safety via some other mechanism?
(chroot for example)
What if they take the file name to be "anything after the final /" ?

I could see some instances, albeit contrived, where an application
might be vulnerable to this sort of attack, but not vulnerable to
generic path traversal.

-- 
Eitan Adler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.