Linux-Bulgaria.ORG
навигация

 

начало

пощенски списък

архив на групата

семинари ...

документи

как да ...

 

 

Предишно писмо Следващо писмо Предишно по тема Следващо по тема По Дата По тема (thread)

lug-bg: Fwd: solution to wu-ftpd + tar program execution

  • Subject: lug-bg: Fwd: solution to wu-ftpd + tar program execution
  • From: George Danchev <danchev@xxxxxxxxx>
  • Date: Sat, 6 Sep 2003 10:34:52 +0300

----------  Forwarded Message  ----------

Subject: solution to wu-ftpd + tar program execution
Date: Friday 05 September 2003 16:14
From: Georgi Guninski <guninski@xxxxxxxxxxxx>
To: security@xxxxxxxxxxxx

This has been known for a long time:
http://www.security-express.com/archives/bugtraq/1999-q4/0405.html

There is an easy solution to this which don't cut functionality:
in ftpconversions place " -- " before "%s" in every line which has tar
(probably on all lines is a good idea).
" -- " terminates the arguments passed to tar, so programs can't be
injected.

linux distributions were notified about the solution, debian released an
advisory at:
http://www.debian.org/security/2003/dsa-377

georgi

-------------------------------------------------------

-- 
pub  4096R/0E4BD0AB 2003-03-18 <keyserver.bu.edu>
1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB 
                      
   

============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================

 
наши приятели

 

линукс за българи
http://linux-bg.org

FSA-BG
http://fsa-bg.org

OpenFest
http://openfest.org

FreeBSD BG
http://bg-freebsd.org

KDE-BG
http://kde.fsa-bg.org/

Gnome-BG
http://gnome.cult.bg/

проект OpenFMI
http://openfmi.net

NetField Forum
http://netField.ludost.net/forum/

 

 

Linux-Bulgaria.ORG

Mailing list messages are © Copyright their authors.