[Dspam-devel] [ dspam-Bug Tracker-2932993 ] Path traversal vulnerability

Tue, 19 Jan 2010 04:40:19 -0800 

Bug Tracker item #2932993, was opened at 2010-01-15 18:34
Message generated for change (Comment added) made by sbajic
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1126467&aid=2932993&group_id=250683

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: daemon
Group: v3.9.0
Status: Open
Resolution: None
Priority: 9
Private: No
Submitted By: Enrico Scholz (ensc)
Assigned to: Stevan Bajic (sbajic)
Summary: Path traversal vulnerability

Initial Comment:
$ dspamc --classify --user ../../../../../../etc  -- < /tmp/sp

# strace -f `pidof dspamd`
stat64("/var/lib/dspam/data/././../../../../../..", {st_mode=S_IFDIR|0755, 
st_size=4096, ...}) = 0
...

# ll /
-rw-rw----   1 root mail 1573112 15. Jan 18:24 etc.css
-rw-rw----   1 root mail       0 15. Jan 18:24 etc.lock
-rw-rw----   1 root mail      12 15. Jan 18:24 etc.stats    


-------

'dspam' should do some sanity checks regarding the username.  Trusting e.g. 
into the MTA that only valid usernames are submitted does not suffice because 
there are dozens of ways how 'dspam' can be invoked and they can not be 
verified all.

Measure like non-root execution of 'dspamd' can lower the impact of this attack 
but I would not trust on it either.

----------------------------------------------------------------------

>Comment By: Stevan Bajic (sbajic)
Date: 2010-01-19 13:38

Message:
Hallo Enrico

any news regarding the attached patch?


-- 
Kind Regards from Switzerland,

Stevan Bajić

----------------------------------------------------------------------

Comment By: Stevan Bajic (sbajic)
Date: 2010-01-18 16:26

Message:
Hallo Enrico Scholz

Could you try the attached patch?


-- 
Kind Regards from Switzerland,

Stevan Bajić

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1126467&aid=2932993&group_id=250683

------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Dspam-devel mailing list
Dspam-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspam-devel

Reply via email to