Ticket #14153 (closed defect: fixed)

Opened 8 years ago

Last modified 7 years ago

Backslash recognised as path separator on Linux guests in shared folders

Reported by: colml Owned by:
Component: shared folders Version: VirtualBox 4.3.28
Keywords: backslash path security Cc:
Guest type: Linux Host type: Windows


While security testing a PHP web application that uses the basename() function to prevent directory traversal attacks I discovered that backslashes are recognised as valid path separators on Linux guests when working in shared folders. The host is running on Windows.

As basename() on Linux does not strip backslashes directory traversal is possible (i.e. passing ..\\..\\..\\target\\securefile).

The can be tested in bash by changing the current directory (cd ..\\) or referencing another file (cat ..\\file.txt).

Tested on a Ubuntu 14.04 guest with the latest guest additions installed via apt-get. I have not tested on other hosts or guests.

It's possible this behaviour is intentional, but it does allow security breaches in certain cases.

Change History

comment:1 Changed 8 years ago by klaus

We tried to trigger accessing files outside the area which is allowed for a shared folder, and everything was caught correctly. Scratching my head why you think this is a security issue.

It's definitely surprising behavior that \ is accepted as a path separator, but that's a comparably minor issue which can be fixed with appropriate priority (by producing an appropriate error in this case, as Windows host can't represent path elements with a \ in them, which would be perfectly valid of the host OS would be Linux).

comment:2 Changed 7 years ago by frank

  • Status changed from new to closed
  • Resolution set to fixed

There is a fix in VBox 5.0.2.

Note: See TracTickets for help on using tickets.
ContactPrivacy policyTerms of Use