[SUCS Devel] [Git][sucssite/sucs-site][sucs-site] 3 commits: stop .forward file being a symlink
Imran Hussain
imranh at sucs.org
Sun Apr 2 21:17:39 BST 2017
On 02.04.2017 06:49, Andrew Price wrote:
> On 01/04/17 22:05, Imran Hussain wrote:
>> On 01.04.2017 19:33, Andrew Price wrote:
>>> - What if ~/.forward is created to be bigger than the available
>>> virtual memory (sparse or actual size)?
>>
>> Php is set to use at most 128M. If someone has a 129M .forward file
>> then
>> all that'll happen is that php will crash out with a oom exception.
>
> OK not catastrophic then, just a bug :)
>
Feature ;)
>>> - What if ~/.forward is replaced by a symlink between the is_link()
>>> call and the file() call?
>>
>> What a attack!
>
> https://cwe.mitre.org/data/definitions/363.html
>
> It's pretty straightforward, something brutish like
>
> while (1) {
> rename(".forward", ".forward.backup");
> symlink("somefile", ".forward");
> rename(".forward.backup", ".forward");
> }
>
> would probably get "somefile" read about 10% of the time. Opening
> with O_NOFOLLOW and then doing all subsequent operations on the file
> descriptor is a good way to fix it but I doubt there's an easy way to
> get PHP to use that flag.
Could just read the file and do input validation? .forward is supposed
to contain a email address, so why not just read and then use php email
validation stuff to check. OR have code in the sucssite that reads the
first line of a filer and looks for a string and if that's there then
don't read the rest of the file? So in cases of the original exploit
have "//pls don't display on the sucs site" as the first line and get
the sites code to check for that?
--
Imran Hussain
https://sucs.org
More information about the Devel
mailing list