[17139] in bugtraq
Re: ISS Security Advisory: Insecure call of external programs
daemon@ATHENA.MIT.EDU (Adam Rice)
Tue Oct 10 14:06:31 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <39E2D6FC.CE78D0C6@newsquest.co.uk>
Date: Tue, 10 Oct 2000 09:44:44 +0100
Reply-To: adam@NEWSQUEST.CO.UK
From: Adam Rice <adam@NEWSQUEST.CO.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
Alfred Perlstein wrote:
> 2) this utility should be rewriten to just run its checks on the
> output from find which is a utility that's most likely smarter
> and proven about directory traversal than this thing.
You are wrong here. While find's directory traversal is beyond reproach,
its output reflects the state of the filesystem some microseconds ago.
An attacker could have changed everything in the meantime. find cannot
be used in untrusted environments. This has been discussed extensively
on Bugtraq in the past, so I won't go into detail now.
Adam Rice
