[SOLVED] BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!

[MarkV]

The error occours everywhere. '...' means 'go up 2 directories', maybe rejetto did cover only '..' ?
So if you share a directory directly below HFS, the bug allows you to go to the parent directory of HFS (Program files?) and from there to all directories and files of this directory, including HFS itself. This is serious.

If the directory shared is only 1 or 2 levels deep, no bug. Starts to appear from 3. level and below

[Metaltailz]

Tested in Windows XP pro, confirmed negative.
Next monday I will test it on a Windows NT system. (Don't have access to it on the weekend)

[Mars]

Somebody can make the same test under Windows 9x by using \.... (with 4 points instead of 3) and report result, please

[Guest]

Remote test from work - /.../ gives problem.
1, 2, or 4 do not.

r][m

[Mars]

Thanks R][M 

Here we are, I recompiled the sources of rejetto (safely) with a small modification for the bug of the 9x, please test this version and make a report

somewhere in main .pas

        // we don't list these entries
        if (sr.name = '.') or (sr.name = '..') or (sr.name = '...')      //mod by mars bug 9x
.....
    // no directory crossing
    if ansiContainsStr(s, '\..\') or ansiEndsStr('\..', s) then exit;
    if ansiContainsStr(s, '\...\') or ansiEndsStr('\...', s) then exit;  //add by mars bug 9x
 

The build 219 arrived, I thus remove the zip attached to this post.


Small message for rejetto, the file zip will be deleted as soon as you will have corrected the problem in the next build.

[r][m]

Mars
Your fix worked on win98se.
/../ returns to root, but 1, 3, & 4 return my HFS  404 - Not Found page.

Many thanks!

[rejetto]

the problem is exactly that: win9X supports 3 and 4 dots.
http://www.iss.net/security_center/advice/Intrusions/2000617/default.htm
I knew this, but i thought it was translated by the shell, not by the kernel itself. Thanks Microsoft.

i don't know about more points, but i made a quick test and creating a file with name "....." (5) is not allowed, so there's no point in allowing any name containing only dots.
i will soon publish an official fix.

sorry PC for the early suspects

[rejetto]

fixed in 2.3 build #219.
soon i will publish a fixed version of 2.2

[MarkV]

There's nothing like a good community. This bug is history now... 

[PC]

Great thanx for interest from all of you... 
Sorry but i didn't have time to look at forum last week (exams & etc...)

I use HFS for some years & i didn't have big problems
Everything started, when i shared a folder to a friend and he was doing something... and typed "..." at wrong window
I was a bit shocked, when he asked me if I share all my Desktop... (I use Win Me sometimes to test & compile programs).

Hmm... the cause was crazy
Thanks for fixing!