[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Try Lua!
- From: Peter Cawley <lua@...>
- Date: Sat, 20 Jun 2009 23:40:44 +0100
On Sat, Jun 20, 2009 at 7:50 PM, Bertrand Mansion<lua@mamasam.net> wrote:
> could test it and report any issues you find (especially if it
> concerns my server security). The site is here :
Firstly, you seem to be using an unpatched build of 5.1.4, which still
has some opportunities for malicious bytecode (see
http://corsix.org/content/lua-514-bug-recap ). Segfaults are caught
cleanly by your application though, so only item 2 from that page
represents possible threat, though it would be non-trivial to exploit
from within a sandbox. I'd be paranoid and prevent the load[string]
functions from loading bytecode, but I'm still not sure if a viable
exploit is possible yet.
Secondly, the only real item of interest I've found so far is
string.dump(setfenv(5, {})), which prints the contents of
/home/web/trylua/vendors/init.lua as bytecode, which can then be
downloaded by the user and the bytecode acquired, and in theory the
file source reconstructed (http://www.corsix.org/misc/try.lua.txt is
the listed bytecode at the moment). This isn't dangerous in itself,
but would give a potential attacker more knowledge of the system,
which makes other attacks easier.
