[SUCS Devel] [Git][sucssite/sucs-site][sucs-site] 3 commits: stop .forward file being a symlink

Imran Hussain imranh at sucs.org
Sun Apr 2 21:17:39 BST 2017

On 02.04.2017 06:49, Andrew Price wrote:
> On 01/04/17 22:05, Imran Hussain wrote:
>> On 01.04.2017 19:33, Andrew Price wrote:
>>> - What if ~/.forward is created to be bigger than the available
>>> virtual memory (sparse or actual size)?
>> Php is set to use at most 128M. If someone has a 129M .forward file 
>> then
>> all that'll happen is that php will crash out with a oom exception.
> OK not catastrophic then, just a bug :)

Feature ;)

>>> - What if ~/.forward is replaced by a symlink between the is_link()
>>> call and the file() call?
>> What a attack!
> https://cwe.mitre.org/data/definitions/363.html
> It's pretty straightforward, something brutish like
>   while (1) {
>           rename(".forward", ".forward.backup");
>           symlink("somefile", ".forward");
>           rename(".forward.backup", ".forward");
>   }
> would probably get "somefile" read about 10% of the time. Opening
> with O_NOFOLLOW and then doing all subsequent operations on the file
> descriptor is a good way to fix it but I doubt there's an easy way to
> get PHP to use that flag.

Could just read the file and do input validation? .forward is supposed 
to contain a email address, so why not just read and then use php email 
validation stuff to check. OR have code in the sucssite that reads the 
first line of a filer and looks for a string and if that's there then 
don't read the rest of the file? So in cases of the original exploit 
have "//pls don't display on the sucs site" as the first line and get 
the sites code to check for that?

Imran Hussain

More information about the Devel mailing list