Dreamboard

foggy · 3. November 2008

Hi, this exploit was discovered many time ago, but there is many silent about it: if you put a particular string in your browser, the webif of the dreambox permit the download of many files ( private datas example: /var/etc/xxcam.cfg or /var/etc/passwd or /tmp/scxx.info etc etc), the dreambox can be simply hacked.

Only Enigma1 is affected from this bug, Enigma2 not.

Can't publish the exploit here, the details in PM only to the moderators.

Better close the webif access from the wan.

Byez.

lupomeo · 11. November 2008

This exploit is not discovered long time ago. Long time ago was discovered only a medium risk security.
This exploit was discovered recently and is very high level critic.
The security hole affect the webif throw the httpd server of E1.
But is is very easy to fix adding two simple lines in the file:
/enigma/lib/system/http_file.cpp

In this way the single exploit can be fixed but it could be important to have a better security protection level in E1 CVS.

dbluelle · 11. November 2008

Well I just fixed it in the CVS and it was only one line that had to be changed ;).

dbluelle

lupomeo · 11. November 2008

Zitat

Originally posted by dbluelle
only one line .
dbluelle

Be sure to filter not only ....f but ....F too

dbluelle · 11. November 2008

Hmm, IMHO httpUnescape takes care of upper/lowercase ?(.
At least on my Box both URLs are forbidden now.

dbluelle

lupomeo · 11. November 2008

Zitat

Originally posted by dbluelle
httpUnescape

You are right.
good solution !! =)

foggy · 13. November 2008

..big THX @ dbluelle for your great work, it's time to build a new image with this most important fix.:)

Ciao.