HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #87
From team Stealth Assassin
New advisory by : thaidn
Affected service(s): UltraShare
Severity [lmh] : medium
===== Problem =====
This is not a duplicated adv. My previous adv (#60) is wrong but this one is correct. Please double check. The main different is deleteFile calls @db.deleteFile, so any authorized user can delete arbitrary files in the system by requesting an url like thi
:
/main.rb?action="delete file"&file=file_id
===== Impact =====
delete arbitrary files belonging to other users
===== Fix =====
there's two places to fix:
deleteFile in main.rb should be rewritten like this:
def deleteFile
options = @db.deleteFile(curUser, @cgi['file'])
options[:showOptions] = true
listFilesOf curUser, options
end
deleteFile in db.rb should be rewritten like this:
def deleteFile(user, id)
errors = Array.new
msgs = Array.new
$stderr.print "ID: #{id}"
if id.nil? or id.empty? or ((id =~ /[0-9a-fA-F]{40}/).nil?)
errors << "ID is not valid"
return {:errors => errors, :msgs => ['No file was deleted']}
end
@db.transaction do
rows = @db.execute("select * from files where id=? and user=?",id, user)
if rows.length < 1
errors << "File does not exist"
return {:errors => errors, :msgs => msgs}
end
@db.execute("delete from files where id=?",id)
msgs << "File #{rows[0]['filename']} was successfully deleted"
return {:errors => errors, :msgs => msgs}
end
errors << "Error in transaction: Could not delete file"
msgs << "File was not deleted"
return {:errors => errors, :msgs => msgs}
end
Rating
[0] Its a dup! They proposed the same solution and addressed the same problem. The main problem relies in @db.deleteFile. The fix fixes the same thing.