[MBT] new ticket for pkg mirror "Blad przy zapisywaniu plikow"

[bugs at pld.org.pl]

Date: 2002-11-12 09:41:51+01	Author: Paweł Posiewała (pawel) <pawel at jerzy.prz.rzeszow.pl> 
Title:         Blad przy zapisywaniu plikow
Ticket ID:     #429
Ticket URL:    http://bugs.pld.org.pl/?bug=429
Package:       mirror-PLD-Ra.main 2.9-5
Distribution:  
Category:      security problem
Current state: opened
Text:

Cytat z :
http://sunsite.org.uk/packages/mirror/security_note.txt

On Tue, 28 Sep 1999, 3APA3A wrote:
>
> Hello BUGTRAQ at SECURITYFOCUS.COM,
>
> mirror is a Perl script which is widely used for making copy of remote
> FTP site. It\'s included in FreeBSD packages. There are security holes,
> which   allows  overwrite  local  files  from  remote  ftp  site  with
> permissions  of  the  user  who uses mirror. Then retrieving directory
> listing  mirror  doesn\'t  check  filename or directory name to contain
> \"..\"  or  \"\"  This  allows  to create or overwrite files in directory
> different from destination.
>
> To  simply  test  this  bug you can create \" ..\" directory on your ftp
> site  and  mirror  your  site.  Mirror  will create temporary files in
> directory  one  level  higher  then  specifyed.  This way you couldn\'t
> overwrite  some useful information, but this may be used, for example,
> to fill out / directory (if mirror is ran from root).
>
> But  with putting little changes into you ftpd (for example making him
> change \'\' to \'/\' on listings) you can force mirror to overwrite _any_
> file with permissions of mirror user then he mirrors your ftp site.
>
>
> Tested with:
> $ mirror -v
> $Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $

In my defense mirror was written back in the old days before they
allowed nasty people to use the Internet :-(

Anyhow.  A simple fix to overcome this problem is to add the following
to your mirror.defaults (and to any package that overrides this
setting):

name_mappings=s:\.\./:__/:g

This should convert names like:
    \" ../rot\"
to
    \" __/rot\"