On Fri, 9 Aug 2002, Tom Jackson wrote:
> I have noticed a file upload vulnerability in AOLserver that can be
> exploited to potentially read, expose or copy the contents of any file
> readable by the user account under which AOLserver runs.
This vulnerability does not exist in the ArsDigita AOLserver releases
+ad12 & +ad13 releases. From the DISTRIBUTION.txt change log notes for
+ad12:
- Ns_QueryToSet will not allow parameters whose names end with
".tmpfile".
Also, the real culprit here, in my opinion, is modules/tcl/form.tcl. I'd
recommend the following change:
--- modules/tcl/form.tcl Fri Feb 1 14:23:43 2002
+++ modules/tcl/form-patched.tcl Fri Aug 9 19:27:23 2002
@@ -266,7 +266,7 @@
close $tmp
seek $fp $end
- ns_set put $form $name.tmpfile $tmpfile
+ ns_set update $form $name.tmpfile $tmpfile
} else {
# ordinary field - read lines until next boundary
>From the documentation: "ns_set update updates the first field in the
specified set whose key is key and replaces its value with value. ns_set
update is equivalent to ns_set delkey followed by ns_set put".
Michael
