Xymon Mailing List Archive search

Security issue with Hobbit "config" command.

2 messages in this thread

list Henrik Størner · Wed, 2 Aug 2006 17:41:06 +0200 · 
On Wed, Aug 02, 2006 at 10:11:42AM -0500, Kruse, Jason K. wrote:
The config directive does not stay locked into the etc directory but
will follow ../.. to allow access to any file the hobbit user has access
to on the system.
Thanks, this was not meant to happen. There was actually a security
check in the code, but it got two parameters in the wrong order, so
it would always grant access. A patch is attached.


Regards,
Henrik

-------------- next part --------------
--- hobbitd/hobbitd.c	2006/07/21 20:32:51	1.251
+++ hobbitd/hobbitd.c	2006/08/02 15:38:47
@@ -25,7 +25,7 @@
 /*                                                                            */
 /*----------------------------------------------------------------------------*/
 
-static char rcsid[] = "$Id: hobbitd.c,v 1.251 2006/07/21 20:32:51 henrik Exp $";
+static char rcsid[] = "$Id: hobbitd.c,v 1.252 2006/08/02 15:38:04 henrik Exp $";
 
 #include <limits.h>
 #include <sys/time.h>
@@ -2563,7 +2563,7 @@
 		p = strtok(p, " \t\r\n");
 		conffn = strdup(p);
 		xfree(msg->buf);
-		if (conffn && (strstr("../", conffn) == NULL) && (get_config(conffn, msg) == 0) ) {
+		if (conffn && (strstr(conffn, "../") == NULL) && (get_config(conffn, msg) == 0) ) {
 			msg->doingwhat = RESPONDING;
 			msg->bufp = msg->buf;
 		}
list Frédéric Mangeant · Wed, 02 Aug 2006 17:48:13 +0200 ·
quoted from Henrik Størner
Le 02/08/2006 17:41, Henrik Stoerner a écrit :
Thanks, this was not meant to happen. There was actually a security
check in the code, but it got two parameters in the wrong order, so
it would always grant access. A patch is attached.
  
Hi Henrik

maybe a patch should be released for 4.1.2p1 (I've tested, any file can 
be read) ?

-- 

Frédéric Mangeant

Steria EDC Sophia-Antipolis