Bugtraq mailing list archives

Re: Directory traversal vulnerabilities in several archivers processing .tar

From: Stephen Samuel <samuel () bcgreen com>
Date: Thu, 19 Dec 2002 11:35:10 -0800

It's not always obvious that an archive shouldn't be trusted --
for example, the breakins at the BSD and Sendmail sites.

Trusting directory traversal strings (absolute paths and ../) should
require an explicit request on the part of the user. Just because a
user 'should' be wary of a trojan archive doesn't mean that they
always will be.


Andrew Kopp wrote:
....

And to those who extract an un-trusted archive and set the "don't prompt
me" flag, you really need a lesson in 'basic' (very obvious too!)
security practices.


--
Stephen Samuel +1(604)876-0426                samuel () bcgreen com
                   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.

Current thread:

Directory traversal vulnerabilities in several archivers processing .tar Florian Schafferhans (Dec 17)
- Re: Directory traversal vulnerabilities in several archivers processing .tar der Mouse (Dec 17)
- RE: Directory traversal vulnerabilities in several archivers processing .tar Andrew Kopp (Dec 18)
  - Re: Directory traversal vulnerabilities in several archivers processing .tar Stephen Samuel (Dec 19)
  - RE: Directory traversal vulnerabilities in several archivers processing .tar konto mailingowe (Dec 20)