Bugtraq mailing list archives
Re: Directory traversal vulnerabilities in several archivers processing .tar
From: Stephen Samuel <samuel () bcgreen com>
Date: Thu, 19 Dec 2002 11:35:10 -0800
It's not always obvious that an archive shouldn't be trusted -- for example, the breakins at the BSD and Sendmail sites. Trusting directory traversal strings (absolute paths and ../) should require an explicit request on the part of the user. Just because a user 'should' be wary of a trojan archive doesn't mean that they always will be. Andrew Kopp wrote: ....
And to those who extract an un-trusted archive and set the "don't prompt me" flag, you really need a lesson in 'basic' (very obvious too!) security practices.
-- Stephen Samuel +1(604)876-0426 samuel () bcgreen com http://www.bcgreen.com/~samuel/ Powerful committed communication, reaching through fear, uncertainty and doubt to touch the jewel within each person and bring it to life.
Current thread:
- Directory traversal vulnerabilities in several archivers processing .tar Florian Schafferhans (Dec 17)
- Re: Directory traversal vulnerabilities in several archivers processing .tar der Mouse (Dec 17)
- RE: Directory traversal vulnerabilities in several archivers processing .tar Andrew Kopp (Dec 18)
- Re: Directory traversal vulnerabilities in several archivers processing .tar Stephen Samuel (Dec 19)
- RE: Directory traversal vulnerabilities in several archivers processing .tar konto mailingowe (Dec 20)