Hi, a while ago I asked the wisdom of a simple site mapping tool, (see
Web Site Mapping Tool). I got a few useful messages - many thanks, and so went ahead and built it. It works great, and I'm happy with it, except that I know it's got at least one big security hole!
I'm working within a secured intranet, so I don't expect many hacking attempts, but you can never tell, plus I can't be sure that someone else won't use the script within the company in a less secure environment - who ever reads warning and comments when you are in a hurry?
The problem lies around the way that the script works out which directory tree to map. Here is a summary of how it works:
- HTML page containing an XML tag to the script is called by the browser. The templating system calls the script, passing some parameters to the script to let it know where it was called from.
- The script starts and works out on which virtual host it was called from, and looks up that host's config file. If it can't find it, eg fake virtual host, then it dies.
- After this it works out where it was called from, (via the parameters) and then dies if start of the physical path does not match the one it's allowed to use.
- It passes the directory of to File::Find, and away it goes.
The obvious problem with this is that if you pass by hand a path such as /allowed/../../notallowed, where the approved path is /allowed/, then this gets through, and then File::Find then traverses a space it's not supposed to (directory permissions aside).
I've done the obvious of obliterating any "..", but I know that there are many more ways to bypass this. Taint and detainting won't help directly either.
CHROOT isn't an option on my NT box, and annoyingly NT permissions don't prevent much either - as currently set. On a Linux box (next phase) I should be able to use CHROOT and file permissions to control the script a bit better, but I'd like the script to be more robust by default.
QUESTION: How do I take in a path from the outside, and verify that it's safe to pass to File::Find?
As ever, humble thanks in advance.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.