[SUCS Devel] [Git][sucssite/sucs-site][sucs-site] 3 commits: stop .forward file being a symlink
Andrew Price
welshbyte at sucs.org
Sun Apr 2 06:49:53 BST 2017
On 01/04/17 22:05, Imran Hussain wrote:
> On 01.04.2017 19:33, Andrew Price wrote:
>> - What if ~/.forward is created to be bigger than the available
>> virtual memory (sparse or actual size)?
>
> Php is set to use at most 128M. If someone has a 129M .forward file then
> all that'll happen is that php will crash out with a oom exception.
OK not catastrophic then, just a bug :)
>> - What if ~/.forward is replaced by a symlink between the is_link()
>> call and the file() call?
>
> What a attack!
https://cwe.mitre.org/data/definitions/363.html
It's pretty straightforward, something brutish like
while (1) {
rename(".forward", ".forward.backup");
symlink("somefile", ".forward");
rename(".forward.backup", ".forward");
}
would probably get "somefile" read about 10% of the time. Opening with
O_NOFOLLOW and then doing all subsequent operations on the file
descriptor is a good way to fix it but I doubt there's an easy way to
get PHP to use that flag.
Andy
More information about the Devel
mailing list