[Bug 3693] Is SFTP local command execution implemented based on an RFC protocol?

bugzilla-daemon Tue, 28 May 2024 01:25:17 -0700

https://bugzilla.mindrot.org/show_bug.cgi?id=3693


--- Comment #2 from renmingshuai <rmsh1...@163.com> ---
(In reply to Damien Miller from comment #1)
> No, it's not based on the protocol because it's local only.
> 
> How could a server exploit this? There's no way for sftp to pass
> server output to its command input unless the user explicitly
> configures it.

It is not sftp that passes the server output to its command input. The
user's expect script captures the keyword "password" in the server's
banner, and then input "!test" to sftp command input.
For example:
spawn sftp username@Host
expect {
"*assword*" {send --"! test\r"}
}

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3693] Is SFTP local command execution implemented based on an RFC protocol?

Reply via email to