David Mirza Ahmad Symantec
PGP: 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 -- The battle for the past is for the future. We must be the winners of the memory war. On Tue, 28 Oct 2003, Richard Brittain wrote: > On Mon, 27 Oct 2003, dong-h0un U wrote: > > > Vulnerabilty happens '*' because don't filtering. > > Through this character, can know existence of files to directory. > ... > > This patch prevents the globbing, but also breaks the proper action of the > server because bname() no longer returns the filename. > A better patch is to disable all globbing in the script by turning on the > "-n" option in the shell. > > > --- sh-httpd-0.4/sh-httpd Mon Oct 9 11:28:05 2000 > > +++ sh-httpd.patch Sat Jul 19 08:51:44 2003 > > @@ -31,7 +31,7 @@ > > > > bname() { > > local IFS='/' > > - set -- $1 > > + set -- "$1" > > eval rc="\$$#" > > [ "$rc" = "" ] && eval rc="\$$(($# - 1))" > > echo "$rc" > > @@ -262,7 +262,7 @@ > > > > # Split URI into base and query string at ? > > IFS='?' > > - set -- $URI > > + set -- "$URI" > > QUERY_STRING="$2" > > URL="$1" > > IFS=$OIFS > > @@ -292,7 +292,7 @@ > > fi > > > > DIR="`dname $URL`" > > - FILE="`bname $URL`" > > + FILE="`bname "$URL"`" > > > > # Check for existance of directory > > if [ ! -d "$DOCROOT/$DIR" ]; then > > === eof === > > Richard Brittain, Kiewit Computing Services, 6224 Baker/Berry Library > Dartmouth College, Hanover NH 03755 > Email: [EMAIL PROTECTED] > or: [EMAIL PROTECTED] > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html