oss-security - Re: CVE Request: PEAR Installer 1.9.1 <=

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <AANLkTi=GfhNJqQR5KKeeX8tNaEqXXTUTJFfCvwrt0SZO@mail.gmail.com>
Date: Tue, 1 Mar 2011 13:21:46 +0100
From: Pierre Joye <pierre.php@...il.com>
To: Dan Rosenberg <dan.j.rosenberg@...il.com>
Cc: oss-security@...ts.openwall.com, 
	Helgi Þormar Þorbjörnsson <helgi@....net>
Subject: Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack

On Tue, Mar 1, 2011 at 1:19 PM, Dan Rosenberg <dan.j.rosenberg@...il.com> wrote:

> The easiest way is to just open the target with the O_NOFOLLOW flag to
> avoid following symlinks and abort on failure.  If you need to support
> systems that don't have this flag, then perhaps you could consider
> using an application-specific temporary directory instead of operating
> in the world-writable /tmp.

In php, hard to do. But that's something we should keep in mind, maybe
we can expose this flag somehow.

>>> Also, I don't see a reason why a hard link couldn't be used for exploitation
>>> instead.
>>
>> Hard link are not detectable (lstat), they are treated like normal files.
>>
>
> Sure they are - just open the file, fstat() it,

+from PHP script.


-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.