lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Sat, Jun 20, 2009 at 7:50 PM, Bertrand Mansion<> wrote:
> could test it and report any issues you find (especially if it
> concerns my server security). The site is here :

Firstly, you seem to be using an unpatched build of 5.1.4, which still
has some opportunities for malicious bytecode (see ). Segfaults are caught
cleanly by your application though, so only item 2 from that page
represents possible threat, though it would be non-trivial to exploit
from within a sandbox. I'd be paranoid and prevent the load[string]
functions from loading bytecode, but I'm still not sure if a viable
exploit is possible yet.

Secondly, the only real item of interest I've found so far is
string.dump(setfenv(5, {})), which prints the contents of
/home/web/trylua/vendors/init.lua as bytecode, which can then be
downloaded by the user and the bytecode acquired, and in theory the
file source reconstructed ( is
the listed bytecode at the moment). This isn't dangerous in itself,
but would give a potential attacker more knowledge of the system,
which makes other attacks easier.