HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #83
From team Stealth Assassin
New advisory by : thaidn
Affected service(s): UltraShare
Severity [lmh] : medium
===== Problem =====
deleteFile function in main.rb failed to check whether curUser is the owner of the file to be deleted which allows any authorized user to delete files belonging to other users
===== Impact =====
delete arbitrary files belonging to other users
===== Fix =====
there's two places to fix:
deleteFile in main.rb should be rewritten like this:
def deleteFile
options = @db.deleteFile(curUser, @cgi['file'])
options[:showOptions] = true
listFilesOf curUser, options
end
deleteFile in db.rb should be rewritten like this:
def deleteFile(user, id)
errors = Array.new
msgs = Array.new
$stderr.print "ID: #{id}"
if id.nil? or id.empty? or ((id =~ /[0-9a-fA-F]{40}/).nil?)
errors << "ID is not valid"
return {:errors => errors, :msgs => ['No file was deleted']}
end
@db.transaction do
rows = @db.execute("select * from files where id=? and user=?",id, user)
if rows.length < 1
errors << "File does not exist"
return {:errors => errors, :msgs => msgs}
end
@db.execute("delete from files where id=?",id)
msgs << "File #{rows[0]['filename']} was successfully deleted"
return {:errors => errors, :msgs => msgs}
end
errors << "Error in transaction: Could not delete file"
msgs << "File was not deleted"
return {:errors => errors, :msgs => msgs}
end
Rating
[0] Duplicate of #60