> From: Nathaniel Alfred [mailto:[EMAIL PROTECTED]]
>
> <SECURITY-ALERT>
> Second, there is as far as I can see a *BIG* security hole here.
> The filename supplied in the request data is used verbatim in
> constructing the filepath on the server. By crafting a
> request with enough ../ in
> the filename an attacker can overwrite any file writable by
> the container
> process!!
The line is, I think:
String fileName =
new File((String) headers.get("filename")).getName();
The use of getName() ensures that only the last part of the
filename is used. That is:
System.out.println (new File("../../etc/passwd").getName());
prints "passwd" only.
Can you verify that this really is a break?
> At the very least anybody can fill up my disk by sending fake
> file upload request. Note that it not necessary to have a
> file upload page. All that happens at the very beginning of
> request handling before any Cocoon based access control
> mechanisms could stop it!!! </SECURITY-ALERT>
And I can flatten your webserver via DDoS. I think this only warrants
one (1) exclamation mark, not three (3).
I'm about to dig into the request processing parts of Cocoon,
and if the filename parsing is wrong - I'll fix it. But any DoS
attack, well, I'm leaving that for a follow-up team.
/LS
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
