[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security issue with Hobbit "config" command.
- To: "Kruse, Jason K." <jason.kruse (at) teldta.com>
- Subject: Security issue with Hobbit "config" command.
- From: Henrik Stoerner <henrik (at) hswn.dk>
- Date: Wed, 2 Aug 2006 17:41:06 +0200
- Cc: hobbit (at) hswn.dk
- References: <0E8F9877D395D5469742736EC41435E51E46DD@VSM-MSG001.telecom.tds.local>
- User-agent: Mutt/1.5.11
On Wed, Aug 02, 2006 at 10:11:42AM -0500, Kruse, Jason K. wrote:
> The config directive does not stay locked into the etc directory but
> will follow ../.. to allow access to any file the hobbit user has access
> to on the system.
Thanks, this was not meant to happen. There was actually a security
check in the code, but it got two parameters in the wrong order, so
it would always grant access. A patch is attached.
Regards,
Henrik
--- hobbitd/hobbitd.c 2006/07/21 20:32:51 1.251
+++ hobbitd/hobbitd.c 2006/08/02 15:38:47
@@ -25,7 +25,7 @@
/* */
/*----------------------------------------------------------------------------*/
-static char rcsid[] = "$Id: hobbitd.c,v 1.251 2006/07/21 20:32:51 henrik Exp $";
+static char rcsid[] = "$Id: hobbitd.c,v 1.252 2006/08/02 15:38:04 henrik Exp $";
#include <limits.h>
#include <sys/time.h>
@@ -2563,7 +2563,7 @@
p = strtok(p, " \t\r\n");
conffn = strdup(p);
xfree(msg->buf);
- if (conffn && (strstr("../", conffn) == NULL) && (get_config(conffn, msg) == 0) ) {
+ if (conffn && (strstr(conffn, "../") == NULL) && (get_config(conffn, msg) == 0) ) {
msg->doingwhat = RESPONDING;
msg->bufp = msg->buf;
}