Date: Mon, 18 Jul 2016 20:53:51 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: libupnp write files via POST Hi, Wanted to point out this report by Matthew Garret (not sure if there's anything else than a couple of tweets public): https://twitter.com/mjg59/status/755062278513319936 Notable: "Reported this to upstream 8 months ago without response, so: libupnp's default behaviour allows anyone to write to your filesystem" "Seriously. Find a device running a libupnp based server (Shodan says there's rather a lot), and POST a file to /testfile. Then GET /testfile" "…and yeah if the server is running as root (it is) and is using / as the web root (probably not, but maybe) this gives full host fs access" And later on: "Emailed the Debian security team a couple of months ago, no response" Not good... Patch: https://github.com/mjg59/pupnp-code/commit/be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.