cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leo Sutic" <leo.su...@inspireinfrastructure.com>
Subject RE: [VOLUNTEER] Re: DO NOT REPLY [Bug 13541] New: - SAVE_UPLOAD_FILES_TO_DISK should be configurable
Date Mon, 14 Oct 2002 15:40:14 GMT


> From: Nathaniel Alfred [mailto:Alfred.Nathaniel@swx.com] 
>
> <SECURITY-ALERT>
> Second, there is as far as I can see a *BIG* security hole here.  
> The filename supplied in the request data is used verbatim in 
> constructing the filepath on the server.  By crafting a 
> request with enough ../ in 
> the filename an attacker can overwrite any file writable by 
> the container 
> process!!

The line is, I think:

    String fileName =
        new File((String) headers.get("filename")).getName();

The use of getName() ensures that only the last part of the
filename is used. That is:

    System.out.println (new File("../../etc/passwd").getName());

prints "passwd" only.

Can you verify that this really is a break?

> At the very least anybody can fill up my disk by sending fake 
> file upload request.  Note that it not necessary to have a 
> file upload page.  All that happens at the very beginning of 
> request handling before any Cocoon based access control 
> mechanisms could stop it!!! </SECURITY-ALERT>

And I can flatten your webserver via DDoS. I think this only warrants
one (1) exclamation mark, not three (3).

I'm about to dig into the request processing parts of Cocoon,
and if the filename parsing is wrong - I'll fix it. But any DoS
attack, well, I'm leaving that for a follow-up team.

/LS


---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message