#14153 closed defect (fixed)
Backslash recognised as path separator on Linux guests in shared folders
| 回報者: | colml | 負責人: | |
|---|---|---|---|
| 元件: | shared folders | 版本: | VirtualBox 4.3.28 |
| 關鍵字: | backslash path security | 副本: | |
| Guest type: | Linux | Host type: | Windows |
描述
While security testing a PHP web application that uses the basename() function to prevent directory traversal attacks I discovered that backslashes are recognised as valid path separators on Linux guests when working in shared folders. The host is running on Windows.
As basename() on Linux does not strip backslashes directory traversal is possible (i.e. passing ..\\..\\..\\target\\securefile).
The can be tested in bash by changing the current directory (cd ..\\) or referencing another file (cat ..\\file.txt).
Tested on a Ubuntu 14.04 guest with the latest guest additions installed via apt-get. I have not tested on other hosts or guests.
It's possible this behaviour is intentional, but it does allow security breaches in certain cases.
We tried to trigger accessing files outside the area which is allowed for a shared folder, and everything was caught correctly. Scratching my head why you think this is a security issue.
It's definitely surprising behavior that \ is accepted as a path separator, but that's a comparably minor issue which can be fixed with appropriate priority (by producing an appropriate error in this case, as Windows host can't represent path elements with a \ in them, which would be perfectly valid of the host OS would be Linux).