Bugtraq mailing list archives
Re: SunOS 4.1.4 ftp serious bug
From: jzbiciak () DALDD SC TI COM (Joe Zbiciak)
Date: Mon, 16 Jun 1997 11:54:57 -0500
'Homer W. Smith' said previously: | | This may be old hat, but it has bitten me again recently and | I am surprised this bug is allowed to live. | | Running SunOS 4.1.4 | | ftp from SunOS machine A to any other machine B. | | cd remote directory | | lcd to any random directory NOT the directory that contains | the file you wish to upload. | | put /absolute/path/to/file | | This will *ERASE* the file on machine A! | I don't believe this is a bug. The only situation I can devise in which the file will get truncated is when "/absolute/path/to/file" is shared by both machines in question. And, this will happen with any of the classic text-based ftp clients out there. (Note: I don't know if ncftp would behave the same.) A "put" or "get" with just a full path will use that same full path for both source and destination sides, regardless of the current directory. This isn't a bug, but a feature. If that directory happens to be shared on both hosts (such as an NFS mounted home area), then you stand a chance of truncating the file before you've sent it. In any case, what does this have to do with security? Regards, --Joe PS. If my conjecture above about the situation which causes this is incorrect, I'll happily accept more details (like a typescript of a session which illustrates this behavior). Thanks! -- +--------------Joseph Zbiciak--------------+ |- - - - jzbiciak () daldd sc ti com - - - - -| | - - http://www.primenet.com/~im14u2c - - | Not your average "Joe." |- - - - Texas Instruments, Dallas - - - -| +-------#include <std_disclaimer.h>--------+
Current thread:
- Re: Netscape Exploit Justin C. Ferguson (Jun 14)
- SunOS 4.1.4 ftp serious bug Homer W. Smith (Jun 15)
- Re: SunOS 4.1.4 ftp serious bug Francesco Messineo (Jun 16)
- Re: SunOS 4.1.4 ftp serious bug Joe Zbiciak (Jun 16)
- <Possible follow-ups>
- Re: Netscape Exploit Edwin Li-Kai Liu (Jun 15)
- Re: Netscape Exploit John Robert LoVerso (Jun 16)
- Re: Netscape Exploit Sevo Stille (Jun 15)
- SunOS 4.1.4 ftp serious bug Homer W. Smith (Jun 15)