[11723] in bugtraq
Re: Babcia Padlina Ltd. security advisory: mars_nwe bu
daemon@ATHENA.MIT.EDU (Przemyslaw Frasunek)
Tue Sep 7 19:48:41 1999
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Mime-Version: 1.0
Message-Id: <XFMail.990903182700.venglin@FreeBSD.lublin.pl>
Date: Fri, 3 Sep 1999 18:27:00 +0200
Reply-To: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
X-To: Taneli Huuskonen <huuskone@cc.helsinki.fi>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199909020221.FAA10060@sirppi.helsinki.fi>
-----BEGIN PGP SIGNED MESSAGE-----
On 02-Sep-99 Taneli Huuskonen wrote:
> + snprintf(command, sizeof(command)-1, "mv %s %s 2>&1 >/dev/null" , oldname,
> newname);
> return(system(command));
> }
>
> Without seeing the context, I can't say for sure, but this looks like a
> hole big enough to drive a truck through - calling system( ) with
> user-supplied arguments. If this code is running with superuser
> privileges and shell metacharacters haven't been removed very carefully,
> there's going to be a trivial exploit.
oh, i've looked at the code and function that contains that system() isn't ever
used. :)
- ---
* Fido: 2:480/124 ** WWW: FreeBSD.lublin.pl/~venglin ** GSM: +48-601-383657 *
* Inet: venglin@FreeBSD.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF *
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBN8/209O5/yfsePq1AQHydQQAjQP1B1/Y5n11dSP3KreHlchiCOmuFPDC
3/SA+nTMrKBidcO/j37Mm/3biy9SkDmSSnn+EdKZwuCMH8BZ4CUrp6CdQzPwBJ8r
oJxcotzFHf3D/ojhhC89PsGfIGJ+L1QJiOuTLFltlJU1eOis8VhIQclT+0eNWVhM
g1sgF/mJaXE=
=SDuc
-----END PGP SIGNATURE-----
