Re: security hole in mget (in ftp client)

der Mouse (mouse@RODENTS.MONTREAL.QC.CA)
Tue, 05 Aug 1997 12:55:27 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dan Stromberg: "Re: CERT Summary CS-97.04"
Previous message: Brian S. Julin: "Re: Vulnerability in Glimpse HTTP (fwd)"
Maybe in reply to: mhpower@MIT.EDU: "security hole in mget (in ftp client)"
Next in thread: Jim Hutchins: "Re: security hole in mget (in ftp client)"

> On most Unix platforms, when an ftp client processes an mget command,
> it does not check [...for evilness like:] In particular, a malicious
> ftp server's NLST response might include lines such as "../.forward",

> Perhaps the easiest solution is to fix the ftp client to ignore lines
> in an NLST response that include a '/' character.

I rather dislike this. It's too useful to "mget */*.??" and the like.

I'd rather see it refuse, or at least confirm, paths beginning with
"../" or including "/../". One could argue the client should accept a
leading ../ when the user specified a leading ../, but that's probably
getting a little too frilly. (Of course, this should all be
configurable off, but it also should default on.)

der Mouse

mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

Next message: Dan Stromberg: "Re: CERT Summary CS-97.04"
Previous message: Brian S. Julin: "Re: Vulnerability in Glimpse HTTP (fwd)"
Maybe in reply to: mhpower@MIT.EDU: "security hole in mget (in ftp client)"
Next in thread: Jim Hutchins: "Re: security hole in mget (in ftp client)"