Vim backup Source Disclosure Vulnerability

• Previous message: snsadv@lac.co.jp: "[SNS Advisory No.47] DeleGate Cross Site Scripting Vulnerability"
• Next in thread: Peter W: "Re: Vim backup Source Disclosure Vulnerability"
• Reply: Peter W: "Re: Vim backup Source Disclosure Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 Dec 2001 01:25:25 -0500
From: Chris Gragsone <maetrics@realwarp.net>
To: bugtraq <bugtraq@securityfocus.com>

Vim backup Source Disclosure Vulnerability
by Chris Gragsone
Foot Clan

Date: December 27, 2001
Advisory ID: Foot-20011227
Impact of vulnerability: Source Disclosure
Exploitable: Remote
Maximum Risk: Moderate

Affected Software:
Vim

Vulnerability Description:

Vim is an improved version of the editor "vi", one of the standard text
editors on UNIX systems. Vim includes a 'backup' option, that once set
Vim renames the original file before it is overwritten. A malicous user
can request the backup name for the script bypassing the server side
processing and disclouse the script's source code.

In Vim 3.0 and earlier, the 'backup' option is set by default, and the
originial file is renamed to a filename appended with '.bak'. This
option is disabled by default in Vim 4.0 and later. However, if enabled
the original file is renamed to a filename appended with '~'. In each
case the backup file keeps the original permissions

This is not a software bug rather a misconfiguration or administrative
oversight. The specific request involved with this vulnerability cannot
belong to a legitimate connection. This vulnerability has been tested
with PHP4 on Apache, but should affect all other scripts which are
routinely edited in the manner.

Vulnerability Reproduction:
with Vim 4.0 and later: http://footclan.realwarp.net/passwd.php~
with Vim 3.0 and earlier: http://footclan.realwarp.net/passwd.php.bak

References:
http://www.vim.org/

Contact:
http://footclan.realwarp.net/
Chris Gragsone (maetrics@realwarp.net)

Disclaimer:
The contents of this advisory are copyright (c)2001 Foot Clan and may be
distributed freely provided that no fee is charged for this distribution
and proper credit is given.

• Previous message: snsadv@lac.co.jp: "[SNS Advisory No.47] DeleGate Cross Site Scripting Vulnerability"
• Next in thread: Peter W: "Re: Vim backup Source Disclosure Vulnerability"
• Reply: Peter W: "Re: Vim backup Source Disclosure Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Vim backup Source Disclosure Vulnerability ... > Vim backup Source Disclosure Vulnerability ... the httpd to only serve objects whose extensions (and, therefore, MIME ... if your httpd tries to "magically" determine an object's MIME type, ... (Bugtraq) Re: Problem with cron on Red Hat ... some hints about crontab -e. ... With the new vim version the original input file is renamed to the backup ... file and a new file is created with the original file name. ... There are vim options to turn off file backup and/or use the old behaviour ... (comp.os.linux.misc) Re: cron on 10.5.2 server ... :set backup ... crontab: temp file must be edited in place ... This may not be the only Vim option that can ... (comp.sys.mac.misc) encrypted vim file ... Is there a way for Vim to detect a file is encrypted (by using the:X ... command) and not creating a swp or backup? ... (comp.editors) [UNIX] Collection of Vulnerabilities in Fully Patched Vim ... "Vim is an almost compatible version of the UNIX editor Vi. ... multi-level undo, syntax highlighting, command ... We will show several exploits which execute ... Let's approach each vulnerability one by one. ... (Securiteam)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint