Re: FreeBSD suggests not to use lynx.

To: Andreas Tille <tillea@rki.de>
Cc: debian-devel@lists.debian.org
Subject: Re: FreeBSD suggests not to use lynx.
From: Joey Hess <joey@kitenet.net>
Date: Mon, 20 Mar 2000 22:59:08 -0800
Message-id: <[🔎] 20000320225908.F3970@kitenet.net>
Mail-followup-to: Andreas Tille <tillea@rki.de>, debian-devel@lists.debian.org
In-reply-to: <Pine.LNX.4.21.0003210734220.12484-100000@wr-linux02.rki.de>; from tillea@rki.de on Tue, Mar 21, 2000 at 07:37:07AM +0100
References: <20000320184858.K21352@kitenet.net> <Pine.LNX.4.21.0003210734220.12484-100000@wr-linux02.rki.de>

Andreas Tille wrote:
> >   if [ -f /tmp/$$.html ]; then
> >       rm -f /tmp/$$.html
> >   fi
> >   /usr/lib/cgi-bin/dsearch $1 | \
> > 	    sed 's/\/doc/\/usr\/share\/doc/g' > /tmp/$$.html
> Could you be so kind for unclever people like me to explain this
> anywhere (may be on devel) how this would work.  I don't see the relation
> between /tmp/$$.html and would like to understand the problem to avoid
> such cases i my own programs.

It's quite simple. An attacker merely guesses what pid the script will run
with, and makes a /tmp/<pid>.html file that is a link to, say, /etc/passwd.

The attacker then enters a tight loop, looking at the file (it might help
you to thisk of it forking off about 50 attackers, all doing this). If it is
deleted, it replaces it with the same link.

1 When the script runs, it deletes the file. 
2 With luck, the attacker runs at the right time, and replaces it.
3 The script echos some text to the file. Which is a symlink to /etc/passwd, and
  results in /etc/passwd being trashed.

See any introductory security text for details.

-- 
see shy jo

Reply to:

Prev by Date: Re: [transcript] source package formats
Next by Date: Re: Novell: NDS eDirectory for Linux
Previous by thread: Re: ITP: Netrek Vanilla server and COW (Client of Windows)
Next by thread: Transmeta
Index(es):
- Date
- Thread