cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nathaniel Alfred" <>
Subject RE: [VOLUNTEER] Re: DO NOT REPLY [Bug 13541] New: - SAVE_UPLOAD_FILES_TO_DISK should be configurable
Date Mon, 14 Oct 2002 16:08:34 GMT

>-----Original Message-----
>From: Leo Sutic []
>Sent: Montag, 14. Oktober 2002 17:40
>Subject: RE: [VOLUNTEER] Re: DO NOT REPLY [Bug 13541] New: -
>SAVE_UPLOAD_FILES_TO_DISK should be configurable
>> From: Nathaniel Alfred [] 
>> Second, there is as far as I can see a *BIG* security hole here.  
>> The filename supplied in the request data is used verbatim in 
>> constructing the filepath on the server.  By crafting a 
>> request with enough ../ in 
>> the filename an attacker can overwrite any file writable by 
>> the container 
>> process!!
>The line is, I think:
>    String fileName =
>        new File((String) headers.get("filename")).getName();
>The use of getName() ensures that only the last part of the
>filename is used. That is:
>    System.out.println (new File("../../etc/passwd").getName());
>prints "passwd" only.
>Can you verify that this really is a break?

Right, I take back my claim.

>> At the very least anybody can fill up my disk by sending fake 
>> file upload request.  Note that it not necessary to have a 
>> file upload page.  All that happens at the very beginning of 
>> request handling before any Cocoon based access control 
>> mechanisms could stop it!!! </SECURITY-ALERT>
>And I can flatten your webserver via DDoS. I think this only warrants
>one (1) exclamation mark, not three (3).
>I'm about to dig into the request processing parts of Cocoon,
>and if the filename parsing is wrong - I'll fix it. But any DoS
>attack, well, I'm leaving that for a follow-up team.

Sure, filling up the disk as not real threat, as long as you are
aware of the possibility.

But bypassing access controll?

Do you fancy a upload page nicely protected by SunRise and still
everybody can inject fake files by a request I could almost type
on the keyboard:

   POST /index.html HTTP/1.1
   Content-type: multipart/form-data

>From my experience, Open Source products are called bad names in the
corporate world already for far more theoretical holes.


>To unsubscribe, e-mail:
>For additional commands, email:

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 

To unsubscribe, e-mail:
For additional commands, email:

View raw message