Path traversal in the session parameter CVE-2014-3702 #231
Comments
|
Fixed in 2ac192c. |
|
This is an incomplete fix. os.path.basename() won't properly sanitize UNC paths on Windows hosts. Also, the issue in upload.py hasn't been fixed at all. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Found in a past security audit, agreed with Tristan to make public and file issues here.
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1153470
upload.py:
[1] if ('file' in form) and (form['file'].filename.endswith('.log.gz')):
logitem = form['file']
logfile = logitem.file
try:
# Let's save the file in LOGDIR directory
log_dir = os.path.normpath(config_get('SERVER', 'LOGDIR', cfg_dir)) + '/'
[2] filename = os.path.join(log_dir, logitem.filename)
output_file = open(filename, 'w')
output_file.write(logfile.read(-1))
output_file.close()
except Exception, xcpt:
# If we fails at saving, let's exit
fatal_error("exception while saving log file: %s" % str(xcpt))
sys.exit(1)
# If the succeed at saving log file, let's also exit
# In fact we have nothing more to do once its saved.
log('Log file %s saved' % logitem.filename)
sys.exit(0)
1 - if the file is specified ending with .log.gz, at [2], we can write an arbitrary file
due to an unsanitized filename like ../../../../../../../var/log/whatever.log.gz if the
httpd is overly privileged, etc.
upload.py returns python code to be executed on the client:
import commands
import os
import sys
import hpacucli
import ipmi
import time
...
upload-health.py
session = a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z for fast fs directory making attack,
can return arbitrary shell commands to be ran:
cat <<EOF
%s
EOF
exit 1
''' % error)
The text was updated successfully, but these errors were encountered: