HP-UX CDE Default PATH Vulnerability

Solution:
In /usr/dt/bin/Xsession just before this:

# ###########################################################################
#
# Startup section.

Add this:

###################### Clean up $PATH for root ##########################
if [ "$USER" = "root" ]
then
Log "Clean up PATH for root user"
Log "Old PATH = $PATH"
PATH=`echo $PATH | awk '
{
# Remove elements from PATH that are
# (a) "."
# (b) ""
# (c) blank
#
gsub (" ",":", $0) # Substitite ":" for each blank
n = split ($0, path, ":") # Split into elements with ":" as delimiter
first = 1 # To suppress leading ":" in new PATH
for (i=1; i<=n; i++) {
len = length(path[i])
dot = index(path[i], ".")
dot_only = 0
if ((len == 1) && (dot==1)) {
dot_only = 1
}
# print element if it is not "" and not "."
if (!(len==0) && !(dot_only==1)) {
if(first != 1) {
printf (":") # if not first element, print ":" in front
}
printf ("%s",path[i])
first = 0
}
}
}
END { printf ("\n") }'`
Log "New PATH = $PATH"
fi
###################### End - Clean up $PATH for root ####################
 

Privacy Statement
Copyright 2010, SecurityFocus