=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


 Date: Ср, 29 сен 1999  23:39:39

   От: Lee McLoughlin <lmjm@dsres.com>

 Кому: "Jose' Carlos Oliveira Pereira" <jcp@EUnet.pt>, 3APA3A <wise@tomcat.ru>

 Тема: Re: mirror2.9 bug

--------------------------------------------------------------------------------




Yes this is a potential security hole.



In my defense mirror was written back in the old days before they allowed nasty people to use

the Internet :-(



Anyhow.  A simple fix to overcome this problem is to add the following to your mirror.defaults

(and to any package that overrides this setting):



name_mappings=s:\.\./:__/:g



This should convert names like:

    " ../rot"

to

    " __/rot"



BUT I'VE NOT TESTED THIS!  I'm just too busy at the moment as I now work in the commercial

sector and I'm a bit swamped starting up a new company...



    Lee





Jose' Carlos Oliveira Pereira wrote:



> Hello there

>

> This email is in regards to the bug announcement (see below) on the 28th

> of September. I patched this bug quickly.  I'm not sure if there are any

> negative side effects. In  any case, if you havn't fixed  it and want to

> give a look.

>

> ***************

> *** 2657,2662 ****

> --- 2657,2670 ----

>         $no_rename = (! $remote_has_rename) || ($remote_fs eq 'macos' && ! $get_file);

>

>         foreach $src_path ( @xfer_src ){

> +

> + ##

> + #BEGIN jcp@EUnet.pt 1999/09/29

> +               if( $src_path =~ /\w*\.\.\//){

> +                         &msg( $log, "WARNING: BAD dir detected, skipping: $src_path\n" );

> +                       next;

> +               }

> + #END jcp@EUnet.pt

>                 if( $get_file ){

>                         $srci = $remote_map{ $src_path };

>                 }

>

> best regards

>

> Jose' Carlos Pereira                    Tel: +351 (1) 314 33 11

> Network Support                         Fax: +351 (1) 314 34 24

> EUnet Portugal Telecomunicacoes, Lda    www   http://www.EUnet.pt

> R.Alex. Herculano,2-2єD 1150 Lisboa,PT  e-mail: jcp@EUnet.pt

>

>              -------- ____                           -----

>              ------- /      /   /   ___    ___   /_ ------

>              ------ /----  /   /  /   /  /___/  /  -------

>              ----- /____  /___/  /   /  /___   /_ --------

>              ----                                ---------

>

> On Tue, 28 Sep 1999, 3APA3A wrote:

>

> > Hello BUGTRAQ@SECURITYFOCUS.COM,

> >

> > mirror is a Perl script which is widely used for making copy of remote

> > FTP site. It's included in FreeBSD packages. There are security holes,

> > which   allows  overwrite  local  files  from  remote  ftp  site  with

> > permissions  of  the  user  who uses mirror. Then retrieving directory

> > listing  mirror  doesn't  check  filename or directory name to contain

> > ".."  or  "\"  This  allows  to create or overwrite files in directory

> > different from destination.

> >

> > To  simply  test  this  bug you can create " .." directory on your ftp

> > site  and  mirror  your  site.  Mirror  will create temporary files in

> > directory  one  level  higher  then  specifyed.  This way you couldn't

> > overwrite  some useful information, but this may be used, for example,

> > to fill out / directory (if mirror is ran from root).

> >

> > But  with putting little changes into you ftpd (for example making him

> > change '\' to '/' on listings) you can force mirror to overwrite _any_

> > file with permissions of mirror user then he mirrors your ftp site.

> >

> >

> > Tested with:

> > $ mirror -v

> > $Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $

> >

> >

> >

> >          /\_/\

> >         { . . }     |\

> > +--oQQo->{ ^ }<-----+ \

> > |ъДЕУШ ВЩМ U хЮЕОЩК лПФ}

> > +-------------o66o--+ /

> >                     |/

> > пУПВХА РТПВМЕНХ УПУФБЧМСЕФ БМЛПЗПМЙЪН.  (мЕН)

> >