Fix a high-impact directory traversal bug

You can upload files to znc via /dcc send *status. The files will be saved in <datadir>/users/<user>/downloads/. The code for this didn't do any checking on the file name at all and thus allowed directory traversal attacks by all znc users (no admin privileges required!). By exploiting this bug, attackers could e.g. upload a new ssh authorized_keys file or upload a znc module which lets everyone gain shell access. Anything is possible. Again: ONLY A NORMAL USER ACCOUNT NEEDED, no admin privileges. THE ATTACKER GOT WRITE ACCESS TO ALL PLACES ZNC GOT WRITE ACCESS TO. git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1570 726aef4b-f618-498e-8847-2d620e286838
2026-03-28 17:42:41 +01:00 · 2009-07-21 18:49:02 +00:00
parent c7583c4946
commit ce4f4c5cf7
1 changed files with 7 additions and 2 deletions
--- a/Client.cpp
+++ b/Client.cpp
@@ -421,9 +421,14 @@ void CClient::ReadLine(const CString& sData) {
 								return;
 							}

-							CString sLocalFile = sPath + "/" + sFile;
+							CString sAbsolutePath = CDir::CheckPathPrefix(sPath, sFile);

-							m_pUser->GetFile(GetNick(), CUtils::GetIP(uLongIP), uPort, sLocalFile, uFileSize);
+							if (sAbsolutePath.empty()) {
+								PutStatus("Illegal path.");
+								return;
+							}
+
+							m_pUser->GetFile(GetNick(), CUtils::GetIP(uLongIP), uPort, sAbsolutePath, uFileSize);
 						} else {
 							MODULECALL(OnDCCUserSend(CString(m_pUser->GetStatusPrefix() + sTarget), uLongIP, uPort, sFile, uFileSize), m_pUser, this, return);
 						}