Date: Tue, 1 Mar 2011 13:21:46 +0100 From: Pierre Joye <pierre.php@...il.com> To: Dan Rosenberg <dan.j.rosenberg@...il.com> Cc: oss-security@...ts.openwall.com, Helgi Þormar Þorbjörnsson <helgi@....net> Subject: Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack On Tue, Mar 1, 2011 at 1:19 PM, Dan Rosenberg <dan.j.rosenberg@...il.com> wrote: > The easiest way is to just open the target with the O_NOFOLLOW flag to > avoid following symlinks and abort on failure. If you need to support > systems that don't have this flag, then perhaps you could consider > using an application-specific temporary directory instead of operating > in the world-writable /tmp. In php, hard to do. But that's something we should keep in mind, maybe we can expose this flag somehow. >>> Also, I don't see a reason why a hard link couldn't be used for exploitation >>> instead. >> >> Hard link are not detectable (lstat), they are treated like normal files. >> > > Sure they are - just open the file, fstat() it, +from PHP script. -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.