[转载]everybuddy 0.4.3版以下不安全文件创建漏洞以及分析
信息来源:Eric RomangVulnerable code :
-----------------
modules/utility/autotrans.c
258 g_snprintf(buf, 2048, "rm /tmp/.eb.%s.translator -f ; wget -O
/tmp/.eb.%s.translator
'[url]http://world.altavista.com/sites/gben/pos/babelfish/tr?tt=urltext&lp=%s_%s&urltext=%s[/url]'",
259 getenv("USER"), getenv("USER"), from, to, string);
260
261 printf("Running command line:\n%s\n", buf);
262
263 if(system(buf)!=0)
264 {
265 printf("COULD NOT TRANSLATE: %s\n", ostring);
266 free(string);
267 return strdup(ostring);
268 }
269
270 g_snprintf(buf, 2048, "/tmp/.eb.%s.translator", getenv("USER"));
271
272 if((dat=fopen(buf, "r"))==NULL)
273 {
274 printf("COULD NOT TRANSLATE: %s\n", ostring);
275 free(string);
276 return strdup(ostring);
277 }
278
279 pos=0;
280
281 while(!feof(dat))
282 {
283 for(a=0; a<3; a++)
284 {
285 lastfew[a]=lastfew[a+1];
286 }
287 lastfew[3]=(char)getc(dat);
288
289 if(printing>=1)
290 {
291 buf[pos++]=lastfew[3];
292 if(pos==1023) { buf[pos]='\0'; break; }
293 }
294
295 if(!strcmp(lastfew, "</TE"))
296 {
297 printf("Found end\n");
298 if (pos >= 5) {
299 buf[pos-4]='\0';
300 printing++;
301 while(pos>=5 && (buf[pos-5]=='\n' || buf[pos-5]=='\r'))
302 {
303 buf[pos-5]='\0';
304 pos--;
305 }
306 }
307 break;
308 }
#########
Related :
#########
Gentoo Bugs report : [url]http://bugs.gentoo.org/show_bug.cgi?id=94473[/url]
页:
[1]