[28260] in bugtraq
Re: Directory traversal vulnerabilities in several archivers processing
daemon@ATHENA.MIT.EDU (Stephen Samuel)
Thu Dec 19 16:37:11 2002
Message-ID: <3E021F6E.5010701@bcgreen.com>
Date: Thu, 19 Dec 2002 11:35:10 -0800
From: Stephen Samuel <samuel@bcgreen.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
In-Reply-To: <001c01c2a654$ef78f2e0$0200000a@dec>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
It's not always obvious that an archive shouldn't be trusted --
for example, the breakins at the BSD and Sendmail sites.
Trusting directory traversal strings (absolute paths and ../) should
require an explicit request on the part of the user. Just because a
user 'should' be wary of a trojan archive doesn't mean that they
always will be.
Andrew Kopp wrote:
....
> And to those who extract an un-trusted archive and set the "don't prompt
> me" flag, you really need a lesson in 'basic' (very obvious too!)
> security practices.
--
Stephen Samuel +1(604)876-0426 samuel@bcgreen.com
http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.
