Information Assurance
Bugtraq Analysis
Safe Directory Traversal
back to bugtraq analyses page
|
This Bugtraq report dealt with directory traversals. An FTP server product, Home FTP Server contained a security hole on a specific command. To understand the bug, we must understand some of the basics of directories.
Whenver a directory path is set, such as /home/john/myfolder, one can traverse outside of the current path by adding a ../ to the end of the path. Thus /home/john/myfolder/../ is equivalent to /home/john. Each additional ../ prefix steps out of an additional folder, all the way to the root.
When installing Home FTP Server - or many other servers, for the matter - the admin has to set a server root. Meaning nobody can list or access the files outside of that root. Thus, if one sets the root to /home/john, users of the server should be unable to access or modify anything outside of that directory. Of course, the server has to check for ../ in the path specified on any command. They don't have to disallow them, but simply make sure there aren't enough ../ instances to leave the server root.
Home FTP Server does this correctly in all but one of the commands. The command to create a directory MKDIR did not correctly sanitize ../ instances. Thus malicious users could create any number of folders outside the root. This doesn't sound like a major problem, since it's just the MKDIR command instead of something more destructive. But it still allows behavior that shouldn't take place. This problem of malicious directory traversals surfaces all the time, so it's very important to sanitize the paths provided by the user. In other words, never trust user input.
|