Security issue with Hobbit "config" command.
Henrik Stoerner
henrik at hswn.dk
Wed Aug 2 17:41:06 CEST 2006
On Wed, Aug 02, 2006 at 10:11:42AM -0500, Kruse, Jason K. wrote:
> The config directive does not stay locked into the etc directory but
> will follow ../.. to allow access to any file the hobbit user has access
> to on the system.
Thanks, this was not meant to happen. There was actually a security
check in the code, but it got two parameters in the wrong order, so
it would always grant access. A patch is attached.
Regards,
Henrik
-------------- next part --------------
--- hobbitd/hobbitd.c 2006/07/21 20:32:51 1.251
+++ hobbitd/hobbitd.c 2006/08/02 15:38:47
@@ -25,7 +25,7 @@
/* */
/*----------------------------------------------------------------------------*/
-static char rcsid[] = "$Id: hobbitd.c,v 1.251 2006/07/21 20:32:51 henrik Exp $";
+static char rcsid[] = "$Id: hobbitd.c,v 1.252 2006/08/02 15:38:04 henrik Exp $";
#include <limits.h>
#include <sys/time.h>
@@ -2563,7 +2563,7 @@
p = strtok(p, " \t\r\n");
conffn = strdup(p);
xfree(msg->buf);
- if (conffn && (strstr("../", conffn) == NULL) && (get_config(conffn, msg) == 0) ) {
+ if (conffn && (strstr(conffn, "../") == NULL) && (get_config(conffn, msg) == 0) ) {
msg->doingwhat = RESPONDING;
msg->bufp = msg->buf;
}
More information about the Xymon
mailing list