MXit PRPL user-supplied file paths
Mark Doliner
mark at kingant.net
Thu Jan 10 04:07:52 EST 2013
(Just responding to a question Andrew had asked a few days ago that I
realized I never answered.)
On Sun, Jan 6, 2013 at 1:30 PM, Andrew Victor <Andrew.Victor at mxit.com> wrote:
> Since the filename format above always ends in ".png", does that not mean that only PNG files can be created or overwritten?
Probably, yeah.
> The string is not URL-decoded, so if an %00 is inserted it's still not possible to terminate the string before the extension.
> (ie, no ../../../../passwd possible)
Yeah, that sounds right to me. So the remote user would only be able
to write files with a .png extension. That's certainly an
improvement, but probably still worth getting a CVE for.
More information about the security
mailing list