From dean-maxmind.com@arctic.org Mon Sep 4 18:50:28 2006 Date: Mon, 4 Sep 2006 18:50:28 -0700 (PDT) From: dean gaudet To: support@maxmind.com Subject: serious geoipupdate vulnerability i'm looking at the GeoIP-1.4.0.tar.gz source ... and it does no sanity checking on the filename returned by "GET /app/update_getfilename?product_id=%s". for example suppose your webserver were compromised and returned ../../../../../../etc/passwd as the filename. please consider something like the patch below... -dean Index: GeoIP-1.4.0/libGeoIP/GeoIPUpdate.c =================================================================== --- GeoIP-1.4.0.orig/libGeoIP/GeoIPUpdate.c 2006-09-04 18:41:21.810722758 -0700 +++ GeoIP-1.4.0/libGeoIP/GeoIPUpdate.c 2006-09-04 18:45:10.771752943 -0700 @@ -92,6 +92,8 @@ return "Invalid userID"; case GEOIP_PRODUCT_ID_INVALID_ERR: return "Invalid product ID or subscription expired"; + case GEOIP_INVALID_SERVER_RESPONSE: + return "Server returned something unexpected"; default: return "no error"; } @@ -420,6 +422,10 @@ buf[offset] = 0; offset = 0; tmpstr = strstr(buf, "\r\n\r\n") + 4; + if (tmpstr[0] == '.' || strchr(tmpstr, '/') != NULL) { + free(buf); + return GEOIP_INVALID_SERVER_RESPONSE; + } geoipfilename = _GeoIP_full_path_to(tmpstr); free(buf); Index: GeoIP-1.4.0/libGeoIP/GeoIPUpdate.h =================================================================== --- GeoIP-1.4.0.orig/libGeoIP/GeoIPUpdate.h 2006-09-04 18:43:41.265969814 -0700 +++ GeoIP-1.4.0/libGeoIP/GeoIPUpdate.h 2006-09-04 18:43:56.475632408 -0700 @@ -43,7 +43,8 @@ GEOIP_SANITY_LOOKUP_FAIL = -22, /* Sanity check ip address lookup failed */ GEOIP_RENAME_ERR = -23, /* Rename error while installing db, check errno */ GEOIP_USER_ID_INVALID_ERR = -24, /* Invalid userID */ - GEOIP_PRODUCT_ID_INVALID_ERR = -25 /* Invalid product ID or subscription expired */ + GEOIP_PRODUCT_ID_INVALID_ERR = -25, /* Invalid product ID or subscription expired */ + GEOIP_INVALID_SERVER_RESPONSE = -26 } GeoIPUpdateCode; const char * GeoIP_get_error_message(int i);