[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Vim backup Source Disclosure Vulnerability
From:       Peter W <peterw () usa ! net>
Date:       2001-12-28 19:15:41
[Download RAW message or body]

On Fri, Dec 28, 2001 at 01:25:25AM -0500, Chris Gragsone wrote:

> Vim backup Source Disclosure Vulnerability

> Affected Software:
> Vim

Bah!

> This is not a software bug rather a misconfiguration or administrative 
> oversight.

> This vulnerability has been tested 
> with PHP4 on Apache, but should affect all other scripts which are 
> routinely edited in the manner.

...and which reside in the doc root. Stuff your application code inside 
ScriptAlias directories and any backup copies will either be executed, or 
generate errors, depending on their permission bits.

> Vulnerability Reproduction:
> with Vim 4.0 and later: http://footclan.realwarp.net/passwd.php~
> with Vim 3.0 and earlier: http://footclan.realwarp.net/passwd.php.bak

There's not really anything new here, and *absolutely no reason* to name
this "advisory" as if it's a problem with 'vim'. Many text editors,
including vim's supposed nemesis emacs, have similar behaviors.

As a friend of mine likes to say, if there's a problem here, it lies between 
the chair and keyboard. :-)

If you want to be helpful, suggest a real fix, eh? The basic problem here is
that some fool is saving new files to the document root, and the httpd has
been configured to publish anything it can find and read in its document
root. One way to guard against accidental leakage like this is to configure
the httpd to only serve objects whose extensions (and, therefore, MIME
types) are recognized. Here's how you can easily do it for Netscape 
Enterprise Server/iPlanet Web Server (in obj.conf):

# *replace* your current "force-type" ObjectType directive with one
# that flags unrecognized extensions with a special MIME type
ObjectType fn="force-type" type="magnus-internal/unknown"
# Now we tell the httpd to error out for unrecognized extensions;
# the "path" should *not* exist; this will make the server respond with
# a 404/Not Found error for any unrecognized extension; this needs to
# come before any other Service directives whose "type" arguments
# would match "magnus-internal/unknown"
Service fn="send-error" type="magnus-internal/unknown" path="/bogus"

I'm not sure how much work would be required to do similar things for
Apache, AOLServer, or other httpds.

Of course if your text editor saves with a suffix that's listed in your MIME
type configuration, or uses a prefix (Allaire HomeSite, anyone?), or perhaps
if your httpd tries to "magically" determine an object's MIME type, or the
backup file is in a CGI directory and the editor saves the backup w/ the
execute bits on, well, this approach won't save you from that. I mean, the
underlying problem lies with how the content is managed and updated.

Bottom line is you shouldn't put anything on a public httpd that you don't 
want, umm, public.

-Peter

Happy holidays & new year to all, especially Harlan
[prev in list] [next in list] [prev in thread] [next in thread]