egghelp/eggheads community Discussion of eggdrop bots, shell accounts and tcl scripts. 2009-04-20T22:11:28-04:00 https://forum.eggheads.org/app.php/feed/topic/16826 2009-04-20T22:11:28-04:00 2009-04-20T22:11:28-04:00 https://forum.eggheads.org/viewtopic.php?p=88523#p88523 <![CDATA[dccsend with arguments security issue [SOLVED]]]> <3 tcl :)

Statistics: Posted by raider2k — Mon Apr 20, 2009 10:11 pm

]]> 2009-04-20T22:07:43-04:00 2009-04-20T22:07:43-04:00 https://forum.eggheads.org/viewtopic.php?p=88522#p88522 <![CDATA[dccsend with arguments security issue [SOLVED]]]>

Isn't that the beauty with scripting and programming that you're almost never limited to a single way to solve things :)

Statistics: Posted by dmg — Mon Apr 20, 2009 10:07 pm

]]> 2009-04-20T22:00:43-04:00 2009-04-20T22:00:43-04:00 https://forum.eggheads.org/viewtopic.php?p=88521#p88521 <![CDATA[dccsend with arguments security issue [SOLVED]]]>
03:54 <@dMG> !get ../../../../etc/passwd
03:54 <@hosee2> requesting transfer of ../../../../etc/passwd to dMG
03:54 <@hosee2> ok! sending file
03:54 <@hosee2> ---==(\/)- getdiz by dmg -(\/)==---
woah lol
yup thats really a nice one :D

try the possible solution i gave you, should work out fine, if not try

Code: 

if { [string equal -nocase "*../*" $arg] } {   putlog "wrong path"    return 0}
theres always more than one way to solve something :)

Statistics: Posted by raider2k — Mon Apr 20, 2009 10:00 pm

]]> 2009-04-20T21:56:04-04:00 2009-04-20T21:56:04-04:00 https://forum.eggheads.org/viewtopic.php?p=88520#p88520 <![CDATA[dccsend with arguments security issue [SOLVED]]]>

Any user with access to the !get command and a known filename could use it like this f.i.:

03:54 <@dMG> !get ../../../../etc/passwd
03:54 <@hosee2> requesting transfer of ../../../../etc/passwd to dMG
03:54 <@hosee2> ok! sending file
03:54 <@hosee2> ---==(\/)- getdiz by dmg -(\/)==---

so they don't seem to be jailed to the $rootdir (as i too thought first).

edit:

thx! i'll try playing around with that! :)

Statistics: Posted by dmg — Mon Apr 20, 2009 9:56 pm

]]> 2009-04-20T21:49:09-04:00 2009-04-20T21:49:09-04:00 https://forum.eggheads.org/viewtopic.php?p=88519#p88519 <![CDATA[dccsend with arguments security issue [SOLVED]]]>
if thats the case i dont see anything wrong because $rootdir is "hardcoded" and since you are using $arg as an addition to $rootdir your users will get "jailed" into $rootdir anyway.

correct me if i got something wrong ;)

edit:

what you COULD do to limit ../../ is to add:

Code: 

if { [regexp -all -nocase -- {\.\./} $arg] } {putlog "wrong path"return 0}

Statistics: Posted by raider2k — Mon Apr 20, 2009 9:49 pm

]]> 2009-04-20T22:08:04-04:00 2009-04-20T21:17:45-04:00 https://forum.eggheads.org/viewtopic.php?p=88518#p88518 <![CDATA[dccsend with arguments security issue [SOLVED]]]>
I'm a beginner at tcl scripting and i've made a script that looks something like this:

Code: 

set chan "#ascii"set botdir  "/home/dmg/hosee2"set rootdir "$botdir/filesys"set scrver   "getdiz"set author   "dmg"bind pub v !get get_fileproc get_file { nick uhost hand chan args } {  global rootdir  global scrver  global author  regsub -all -nocase {[^[:alnum:][][$\\]._()!'?^-]} [lindex $args 0] {} arg  if { [llength $arg] != 1 } {putchan $chan "Usage: !get \[\[path\] <filename>\]"return 0  } else {  set find "$rootdir/$arg"  set send [dccsend $find $nick]  putchan $chan "requesting transfer of $arg to $nick"  if { [passwdok $hand ""] == 1 } {putchan $chan "you have to set a password (or maybe you must identify yourself?)."return 0  }  if { $send == 0 } { putchan $chan "\002ok!\002 sending file" }  if { $send == 1 } { putchan $chan "too many connections. try again later)" }  if { $send == 2 } { putchan $chan "can't open a socket for the transfer. try again later" }  if { $send == 3 } { putchan $chan "the file $arg \002does not exist\002 (maybe you entered the wrong path?)" }  if { $send == 4 } { putchan $chan "too many simultanious transfers. putting file in queue" }  putchan $chan "---==(\\/)- $scrver by $author -(\\/)==---"  return 1  }}putlog "$scrver by $author"
Everything is fine and dandy except that i found out that it will accept any kind of argument to it so using !get ../../filename or whichever path/file not limited by local rights settings would be possible.

My question is: How could i limit the script/argument to refuse access outside of the $rootdir variable?

..oh, and if you wonder, the regexp is because the files in my archive (ascii art), can sometimes have crazy characters in the filename.

Please be gentle with me since i haven't quite understood how everything works and what everything does yet :)

Statistics: Posted by dmg — Mon Apr 20, 2009 9:17 pm

]]>