Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Date: Wed Aug 22 2001 - 19:56:29 CDT
-----BEGIN PGP SIGNED MESSAGE-----
BSCW Security Issues
[ Vulnerability Type ]
The BSCW software follows symlinks.
[ Effect ]
malicious user can read every file on system that BSCW UID can read.
[ Software affected ]
BSCW3.x (only on *ix systems)
[ Severity ]
medium risk / high risk
[ Solution ]
install patches / updates from http://bscw.gmd.de/pycXX , where XX is
the version of your python installation.
While playing around with symlinks and how the BSCW system handles them, i
noticed that it follows symlinks. Since it offers users the ability to extract
.tar files into their "data-bag" (private space), symlink following can be
exploited by a malicious user. To to this he/she needs to create a .tar file
that contains a symlink, pointing to a file he/she wants to read. After this
.tar file has been uploaded to the BSCW server and extracted by clicking on
the "extract" menu option, the "data-bag" of the user contains the symlink as
a BSCW data object. Clicking on it will make the BSCW system follow the
symlink and retrieve the target file, so the user is able to download/view
my_host:/tmp/>ln -s /etc/passwd testlink
my_host:/tmp/>tar cvf testlink.tar testlink
After uploading it to the BSCW server and extracting it, you can click on the
"testlink" item in your "data-bag" and retrieve the /etc/passwd file of the
Basically the attacker can view any file on a system, as long as the UID,
under which the BSCW system is running, could access it. In most cases this
will be the same UID as the webserver UID (nobody, wwwrun). This can give
the malicious user access to BSCW data items, he could normally not read, or
worse, it could be used to retrieve the BSCW password file for cracking other
user passwords or information gathering for further system penetration.
The early "op_extract" fixes that but leaves a few other exploitable issues.
Another vulnerability consists in the standard installation which includes a
call of "zip" tool when converting .tar files to .zip files. After the
"op_extract" patch you could not access the symlink, since the new extract
function checks for symlinks after tar is called. By converting the
attackers .tar file to a .zip file, zip will follow the symlink and pack
the file, which was targeted by the link. If you have customized calls
to external programs (e.g. packer conversion utilities) in your BSCW
system configuration, you should check if symlink following can be exploited).
The latest patch "untar.py" introduces a wrapper, which looks for symlinks
and seem to fix all symlink vulnerabilities.
You can download the patches and view the installation instructions at
http://bscw.gmd.de/pycXX , where XX is the version of your installed python
package (e.g. http://bscw.gmd.de/pyc20 for python 2.0).
The developers of bscw have done a good job patching the security holes
within 24h, after i sent them a notice about the vulnerability.
public key at http://www.wiretap.de/neovatar.pub
im not affiliated with GMD or ORBITEAM or BSCW in any way. Registered
trademarks and terms in this report belong to their owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----