lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Sun, Jun 21, 2009 at 12:40 AM, Peter Cawley<lua@corsix.org> wrote:
> On Sat, Jun 20, 2009 at 7:50 PM, Bertrand Mansion<lua@mamasam.net> wrote:
>> could test it and report any issues you find (especially if it
>> concerns my server security). The site is here :
>
> Firstly, you seem to be using an unpatched build of 5.1.4, which still
> has some opportunities for malicious bytecode (see
> http://corsix.org/content/lua-514-bug-recap ). Segfaults are caught
> cleanly by your application though, so only item 2 from that page
> represents possible threat, though it would be non-trivial to exploit
> from within a sandbox. I'd be paranoid and prevent the load[string]
> functions from loading bytecode, but I'm still not sure if a viable
> exploit is possible yet.
>
> Secondly, the only real item of interest I've found so far is
> string.dump(setfenv(5, {})), which prints the contents of
> /home/web/trylua/vendors/init.lua as bytecode, which can then be
> downloaded by the user and the bytecode acquired, and in theory the
> file source reconstructed (http://www.corsix.org/misc/try.lua.txt is
> the listed bytecode at the moment). This isn't dangerous in itself,
> but would give a potential attacker more knowledge of the system,
> which makes other attacks easier.

Excellent, thank you :)

Well, I think I will remove the string.dump() and load functions since
I don't think it should be of any use for this kind of application
anyway.

-- 
Bertrand Mansion
Mamasam