[5106] in bugtraq
Re: security hole in mget (in ftp client)
daemon@ATHENA.MIT.EDU (der Mouse)
Tue Aug 5 14:01:26 1997
Date: Tue, 5 Aug 1997 12:55:27 -0400
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@NETSPACE.ORG
> On most Unix platforms, when an ftp client processes an mget command,
> it does not check [...for evilness like:] In particular, a malicious
> ftp server's NLST response might include lines such as "../.forward",
> Perhaps the easiest solution is to fix the ftp client to ignore lines
> in an NLST response that include a '/' character.
I rather dislike this. It's too useful to "mget */*.??" and the like.
I'd rather see it refuse, or at least confirm, paths beginning with
"../" or including "/../". One could argue the client should accept a
leading ../ when the user specified a leading ../, but that's probably
getting a little too frilly. (Of course, this should all be
configurable off, but it also should default on.)
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
