SecuriTeam - Mac OS X HFS+ Multiple Vulnerabilities (_

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Hierarchical File System Plus(HFS+) is "a file system developed by Apple Computer for use on computers running Mac OS".

HFS+ allow servers such as Apache to retrieve the source of a PHP or JSP source files using the data and resource fork options.

Credit:
The information has been provided by TAC.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* MacOS X version 10.2 and above

Apple's HFS and HFS+ file systems allows two separate data streams for each file, referred to as the "data fork" and "resource fork". The classic Mac OS operating systems and Carbon API on Mac OS X provide separate functions for opening and manipulating the data and resource forks. In Mac OS X, however, support for addressing these separate streams has been integrated into the POSIX API. In Mac OS X 10.2 and above, opening the file by its pathname opens the data fork, but the data fork or resource fork may also be opened for a given file by respectively appending "/..namedfork/data" or "/..namedfork/rsrc" to the pathname passed to the open(2) system call. In previous versions, they may be addressed by appending the special pathnames "/.__Fork/data" or "/.__Fork/rsrc". The resource fork may also be opened in most versions of Mac OS X by appending "/rsrc" to the file pathname.

Due to this feature being available throughout the operating system, via the POSIX API, it is therefore available to any software involved in the opening of file streams via the open() syscall, such as a web server opening an HTML or PHP file present on the Darwin servers file system. As a result, server daemons, such as web servers which open file streams, based on user controlled data, may be fooled into opening the respective files resource and/or file fork rather than the absolute file name. This may allow users to view arbitrary data, such as the source code of server interpreted documents (such as PHP and JSP files).

Workaround:
The HFS+ file system is not recommended for dedicated servers, but is required to support numerous legacy Macintosh applications. At the time of this technical advisory, it is strongly recommended that organizations with public Internet-facing Apple servers consider migration to the Berkeley Fast File System (FFS/UFS) option available in OS X.

	Real Networks RealPlayer Compressed GIF Handling Integer Overflow
	RealNetworks RealPlayer CMediumBlockAllocator Integer Overflow Vulnerability
	SugarCRM Online Document Cross-Site Scripting (XSS) Vulnerability
	Skype URI Processing Arbitrary XML File Deletion Vulnerability
	Skype Protocol Handler Datapath Argument Injection Credential Disclosure Vulnerability
	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution