Re: [AOLSERVER] file upload vulnerability in AOLserver

[Tom Jackson]

"Michael A. Cleverly" wrote:
>
> On Fri, 9 Aug 2002, Tom Jackson wrote:
>
> > I have noticed a file upload vulnerability in AOLserver that can be
> > exploited to potentially read, expose or copy the contents of any file
> > readable by the user account under which AOLserver runs.
>
> This vulnerability does not exist in the ArsDigita AOLserver releases
> +ad12 & +ad13 releases.  From the DISTRIBUTION.txt change log notes for
> +ad12:
>
>     - Ns_QueryToSet will not allow parameters whose names end with
>       ".tmpfile".

Good to know for those who use this version, others beware.

> Also, the real culprit here, in my opinion, is modules/tcl/form.tcl.  I'd
> recommend the following change:
>
> --- modules/tcl/form.tcl        Fri Feb  1 14:23:43 2002
> +++ modules/tcl/form-patched.tcl        Fri Aug  9 19:27:23 2002
> @@ -266,7 +266,7 @@
>
>             close $tmp
>             seek $fp $end
> -           ns_set put $form $name.tmpfile $tmpfile
> +           ns_set update $form $name.tmpfile $tmpfile
>
>         } else {
>             # ordinary field - read lines until next boundary
>

Unfortunately this fix doesn't work. For one, you only get into this
loop if you have enctype=multipart/form-data, otherwise ns_getform used
[ns_conn form]. Second,  _ns_parseformfp in tcl/form.tcl interprets the
passed in variable as an ordinary variable, skipping the patch above.

I edited the leg that does get executed in a similar way, but the patch
still doesn't work.

However, you have pointed out that my replacement only works in the case
of using [ns_conn form],
a patch that would work for modules/tcl/form.tcl/ _ns_parseformfp would
check that no form variable ending in .tmpfile would be allowed:

        set disposition [split $disposition \;]
        set name [string trim [lindex [split [lindex $disposition 1] =] 1] \"]
+       if {[string match "*.tmpfile" $name]} {
+           ns_log Error "form variable ending in .tmpfile not allowed"
+           # return an error to client
+           ns_returnerror 500 "form variable ending in .tmpfile not
allowed"
+           return -code error
+       }
        # fetch and save any field headers (usually just content-type for
files)

I have added this to form.tcl, you can test the result by visiting:
http://zmbh.com/aolserver-vulnerability/bug/bug-multipart-index.html
I have not patched conn.c so you can test the vulnerability at:
http://zmbh.com/aolserver-vulnerability/bug/bug-index.html for a few
files in the /tmp directory only.

You can also test your own form by posting to:
http://zmbh.com/aolserver-vulnerability/bug/confirm.tcl

Note that the code in AOLserver 4.0 for this file has probably changed.

--Tom Jackson