You are playing handpuppet of the jackass, actually. Check PATH_MAX in the Linux Kernel.
J On Wed, 15 Aug 2007 12:53:18 -0400 monikerd <[EMAIL PROTECTED]> wrote: >Joey Mengele wrote: >> Where does security come into play here? This is a local crash >in a >> non setuid binary. I would like to hear your remote exploitation > >> scenario. Or perhaps your local privilege escalation scenario? >> >> J >> >> >I'll play advocate of the devil then. Imagine a wiki running on a >webserver, > >that allows anybody to create new topics which end up in >/articles/[Topic].txt >with sufficient .htaccess stuff in /articles to twart most usual >attacks .. > > >If you could create an arbitrary long topic, then you *might* >be able to execute some code, when some cronjob would scan the >drive >and come across the file? > >creating files is a different privilege than running code. Hence >imho >it's not a bogus advisory. > > >another possibility would be to create an archive that extracts an >incredibly >long filename perhaps? scanning an archive before/after it's >extracted >is a pretty common event i guess. -- Click for free information on accounting careers, $150 hour potential. http://tagline.hushmail.com/fc/Ioyw6h4dCaNyraR2kkZ8KcMCiTJDWZokEDbswig9iZ5cvsPFFYamWc/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
