CISA says 'no more' to decades-old directory traversal bugs CISA is calling on the software industry to stamp out directory traversal vulnerabilities following recent high-profile exploits of the 20-year-old class of bugs. As part of its long-running series of alerts that promote secure-by-design practices in software, the US cybersecurity agency bemoaned the fact these vulnerabilities …
Makes it much easier for the crooks to mark what belongs to them.
Apparently CISA has a sense of humor:
"Instead of relying on user input when naming files, developers should consider using a ransom identifier for each file and storing the associated metadata separately"
Change the basis of 20+ years of OS and file system functionality that would be great.
I'm sure its an easy fix, especially for the software that's been out there running the systems that run everything forever. Just push an update for win3.11 I guess*.
*only potentially hyperbole, the reality could be worse.
Change the basis of 20+ years of OS and file system functionality that would be great.
It's not that difficult, it's just some .Net nonsense. CISA should be saying "no more" to .Net.
“Eliminating directory traversal bugs is just one step towards achieving a truly secure-by-design approach to software.”
Until these geniuses can design a truly secure Memory Management Unit such fixes are only so much sticking plaster.
Dr. Evil: Our evil scientists are building a giant quantum supercomputer to brute force attack and gain access to the infrastructure. After millions in development it be ready and then in a few years we will crack the systems and take over the world [pinky to mouth]. Hmmmm?
Scott: Why don’t we use a quick and easy directory traversal attack?
Dr. Evil: Please excuse my son Scott, he’s obviously inexperienced in these matters.
and the one about limiting file names is great where the programmer can control it, what happens when the files are named by another party like the IRS? The DOD? What about embedded paths in whatever they are uploading?
Sanitize what you can, but if you are letting users upload files, there will probably always be an edge case that can escape whatever sandbox you build.
Much like anything with dates and time, if you think you have it covered with a couple simple lines, you are wrong and need to step aside and let someone else fix it with a 3rd party library. Preferably one that is at least a decade old, and was updated in the last week. And yes there are libraries for checking paths, and yes people still keep trying to do it themselves. (see the recent Reg on batch files).
In Unix, two immediate solutions come to mind.
1) Run in a chroot'ed process. (Just make certain that there are no mountpoints under the chroot!)
2) Make sure that at every point in the file name, the number of observed-so-far "real" components is >= the number of ".." components.
Neither of these strike me as particularly difficult.
Allowing compressed archives to be uploaded brings other risks as well, such as TB-sized all-zero compressed bombs, etc. Ideally just get folks to upload individual files and be done with it, or in any archive ignore the paths and extract only the files in to a sandbox temporary file system area of limited size.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
