egghelp.org community Forum Index
[ egghelp.org home | forum home ]		 egghelp.org community
Discussion of eggdrop bots, shell accounts and tcl scripts.
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

dccsend with arguments security issue [SOLVED]

 
Post new topic   Reply to topic    egghelp.org community Forum Index -> Scripting Help
View previous topic :: View next topic  
Author Message
dmg
Voice


Joined: 20 Apr 2009
Posts: 5
PostPosted: Mon Apr 20, 2009 9:17 pm    Post subject: dccsend with arguments security issue [SOLVED] Reply with quote
Hi guys!

I'm a beginner at tcl scripting and i've made a script that looks something like this:

Code:

set chan "#ascii"
set botdir  "/home/dmg/hosee2"
set rootdir "$botdir/filesys"
set scrver   "getdiz"
set author   "dmg"

bind pub v !get get_file

proc get_file { nick uhost hand chan args } {
  global rootdir
  global scrver
  global author
  regsub -all -nocase {[^[:alnum:][][$\\]._()!'?^-]} [lindex $args 0] {} arg
  if { [llength $arg] != 1 } {
   putchan $chan "Usage: !get \[\[path\] <filename>\]"
   return 0
  } else {
     set find "$rootdir/$arg"
     set send [dccsend $find $nick]
     putchan $chan "requesting transfer of $arg to $nick"
     if { [passwdok $hand ""] == 1 } {
      putchan $chan "you have to set a password (or maybe you must identify yourself?)."
      return 0
     }
  if { $send == 0 } { putchan $chan "\002ok!\002 sending file" }
  if { $send == 1 } { putchan $chan "too many connections. try again later)" }
  if { $send == 2 } { putchan $chan "can't open a socket for the transfer. try again later" }
  if { $send == 3 } { putchan $chan "the file $arg \002does not exist\002 (maybe you entered the wrong path?)" }
  if { $send == 4 } { putchan $chan "too many simultanious transfers. putting file in queue" }
  putchan $chan "---==(\\/)- $scrver by $author -(\\/)==---"
  return 1
  }
}
putlog "$scrver by $author"


Everything is fine and dandy except that i found out that it will accept any kind of argument to it so using !get ../../filename or whichever path/file not limited by local rights settings would be possible.

My question is: How could i limit the script/argument to refuse access outside of the $rootdir variable?

..oh, and if you wonder, the regexp is because the files in my archive (ascii art), can sometimes have crazy characters in the filename.

Please be gentle with me since i haven't quite understood how everything works and what everything does yet Smile

Last edited by dmg on Mon Apr 20, 2009 10:08 pm; edited 1 time in total
Back to top
View user's profile Send private message
raider2k
Op


Joined: 01 Jan 2008
Posts: 140
PostPosted: Mon Apr 20, 2009 9:49 pm    Post subject: Reply with quote
maybe i didnt quite understand what you want to do, but what i understood until now is that you want users ONLY have access to $rootdir and below but nowhere else than $rootdir and below?

if thats the case i dont see anything wrong because $rootdir is "hardcoded" and since you are using $arg as an addition to $rootdir your users will get "jailed" into $rootdir anyway.

correct me if i got something wrong Wink

edit:

what you COULD do to limit ../../ is to add:

Code:

if { [regexp -all -nocase -- {\.\./} $arg] } {
   putlog "wrong path"
   return 0
}
Back to top
View user's profile Send private message
dmg
Voice


Joined: 20 Apr 2009
Posts: 5
PostPosted: Mon Apr 20, 2009 9:56 pm    Post subject: Reply with quote
yea Wink

Any user with access to the !get command and a known filename could use it like this f.i.:

03:54 <@dMG> !get ../../../../etc/passwd
03:54 <@hosee2> requesting transfer of ../../../../etc/passwd to dMG
03:54 <@hosee2> ok! sending file
03:54 <@hosee2> ---==(\/)- getdiz by dmg -(\/)==---

so they don't seem to be jailed to the $rootdir (as i too thought first).

edit:

thx! i'll try playing around with that! Smile
Back to top
View user's profile Send private message
raider2k
Op


Joined: 01 Jan 2008
Posts: 140
PostPosted: Mon Apr 20, 2009 10:00 pm    Post subject: Reply with quote
Quote:
03:54 <@dMG> !get ../../../../etc/passwd
03:54 <@hosee2> requesting transfer of ../../../../etc/passwd to dMG
03:54 <@hosee2> ok! sending file
03:54 <@hosee2> ---==(\/)- getdiz by dmg -(\/)==---


woah lol
yup thats really a nice one Very Happy

try the possible solution i gave you, should work out fine, if not try

Code:

if { [string equal -nocase "*../*" $arg] } {
   putlog "wrong path"
   return 0
}


theres always more than one way to solve something Smile
Back to top
View user's profile Send private message
dmg
Voice


Joined: 20 Apr 2009
Posts: 5
PostPosted: Mon Apr 20, 2009 10:07 pm    Post subject: Reply with quote
Thank you very much for your help. The first example worked just fine! Smile

Isn't that the beauty with scripting and programming that you're almost never limited to a single way to solve things Smile
Back to top
View user's profile Send private message
raider2k
Op


Joined: 01 Jan 2008
Posts: 140
PostPosted: Mon Apr 20, 2009 10:11 pm    Post subject: Reply with quote
definately ^^
<3 tcl Smile
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    egghelp.org community Forum Index -> Scripting Help All times are GMT - 4 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Forum hosting provided by Reverse.net

Powered by phpBB © 2001, 2005 phpBB Group
subGreen style by ktauber