Full Disclosure mailing list archives
Re: Administrivia: List Compromised due to Mailman Vulnerability
From: Steve Blass <sblass () asu edu>
Date: Wed, 09 Feb 2005 12:45:19 -0700
John Cartwright wrote:
... Subscriber addresses and passwords have been compromised.
d'0h!
That's an improvement, but better is to extract and validate the tail of the path to your repository and then anchor the root where it belongs.... SLASH = '/' def true_path(path): "Ensure that the path is safe by removing .." parts = [x for x in path.split(SLASH) if x not in ('.', '..')] return SLASH.join(parts)[1:]
Fully disclosing that FD was compromised was a stand up thing to do though. Good job!
- Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Administrivia: List Compromised due to Mailman Vulnerability John Cartwright (Feb 09)
- Re: Administrivia: List Compromised due to Mailman Vulnerability Frank Knobbe (Feb 09)
- Re: Administrivia: List Compromised due to Mailman Vulnerability Valdis . Kletnieks (Feb 09)
- Re: Administrivia: List Compromised due to Mailman Vulnerability Frank Knobbe (Feb 09)
- Re: Administrivia: List Compromised due to Mailman Vulnerability Valdis . Kletnieks (Feb 09)
- Re: Administrivia: List Compromised due to Mailman Vulnerability Anders Langworthy (Feb 09)
- Re: Administrivia: List Compromised due to Mailman Vulnerability bkfsec (Feb 10)
- RE: [lists] Re: Administrivia: List Compromised due to MailmanVulnerability Curt Purdy (Feb 13)
- Re: Administrivia: List Compromised due to Mailman Vulnerability Valdis . Kletnieks (Feb 09)
- Re: Administrivia: List Compromised due to Mailman Vulnerability Frank Knobbe (Feb 09)
- Re: Administrivia: List Compromised due to Mailman Vulnerability John Cartwright (Feb 10)