Giuseppe Iuculano schrieb:
Package: znc
Severity: grave
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
znc 0.072 fixes an high-impact directory traversal bug
| You can upload files to znc via /dcc send *status. The files will be saved in <datadir>/users/<user>/downloads/.
| The code for this didn't do any checking on the file name at all and thus allowed directory traversal attacks by
| all znc users (no admin privileges required!).
| By exploiting this bug, attackers could e.g. upload a new ssh authorized_keys
file or upload a znc module which
| lets everyone gain shell access. Anything is possible.
| Again: ONLY A NORMAL USER ACCOUNT NEEDED, no admin privileges. THE ATTACKER
GOT WRITE ACCESS TO ALL PLACES ZNC GOT WRITE ACCESS TO.
Patch:
http://znc.svn.sourceforge.net/viewvc/znc?view=rev&sortby=rev&sortdir=down&revision=1570
Hello,
yes I already talked about that with upstream.
0.072 itself is b0rked (broken webadmin), so this has to wait.
But I will create in the next days fixed versions for stable-security etc.
Cheers.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
