Ubuntu - Attack via filename passed in url query?

fbence
July 22, 2022
198 views
0 votes
2 Answers

I wrote a small service in go (although I don’t think this would be a language specific issue), that caches some results by saving it to a file, and writing a URL query parameter into the filename with "prefix" + param + ".json" using ioutil.WriteFile. The service runs on Ubuntu.

Is it possible to do something malicious, by passing an unexpected string via the query?

Tags: http security

Answers

- GaborLengyel
- July 22, 2022 at 11:17 am
- 0 votes
0
Relevant attacks that come to mind are called path injection. For example what if the query parameter is something like ../../etc/passwd (okthis would probably not work as the user running this service would have no permissions, but you get the point). For example it could be possible to overwrite your service code itself.

You should sanitize the parameter before adding it to the filename. The best would be a strict whitelist of letters and numbers that are allowed, anything else should ve removed from the parameter. That way injection would not be possible.

You can also check whether the path you are writing to is actually under an explicitly allowed directory.

Login or Signup to reply.

- IsaacMak
- July 22, 2022 at 11:35 am
- 0 votes
0
I will make a test in python, here is the struct of the project

app1/main.py
```
while True:
    a = input() # passing query
    with open("{}.json".format(a), "w") as f:
        f.write("Hello world")
```
now i am a hacker, and i want to change "yourfile.json"
so i passed this

and than, the content of yourfile.json become: Hello world
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Ubuntu – Attack via filename passed in url query?

Answers

I will make a test in python, here is the struct of the project