[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Security hole in Confixx backup script

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Security hole in Confixx backup script
From: Dirk Pirschel <dirk@xxxxxxxxxxx>
Date: Tue, 27 Jul 2004 01:57:04 +0200

Hi,

* Dirk Pirschel wrote on Fri, 25 Jun 2004 at 15:08 +0200:

> A malicious backup request via the webinterface might be used by any
> user to read files located in /root (which is the default installation
> directory of confixx).

Confixx does a "cd $dir; tar czf ..." without any error checking.  If
the target directory does not exist, the backup is done in the current
working directory, which is /root.

It is possible to retrieve *any* directory by replacing $HOME/files or
$HOME/html with a symlink.

> If you are using confixx, you should disable the backup script.

-Dirk

-- 
Linux - Life is too short for reboots

Attachment: pgp00068.pgp
Description: PGP signature

Prev by Date: RE: [Full-Disclosure] Redhat 9 PHP 4.2.2 update for the memory_li mit vulnerability
Next by Date: RE: [ok] [Full-Disclosure] Possible Virus/Trojan
Previous by thread: RE: [Full-Disclosure] Redhat 9 PHP 4.2.2 update for the memory_li mit vulnerability
Next by thread: RE: [ok] [Full-Disclosure] Possible Virus/Trojan
Index(es):
- Date
- Thread