RE: Win32 binary without FTP vulnerability
Either I didn't understand your point, or possibly you didn't follow the problem. The vulnerability in question happens when wget tries to get a file with ftp, named for example "file", and the (rogue) ftp server instead returning a file named "../../../../../../../../etc/passwd" or similar. In windows beside that we should also check if the returned filename is (for example) c:/winnt/calc.exe or c:\winnt\calc.exe which would be interpreted as a relative directory in unix (no harm, isn't checked currently) but is an absolute directory path in windows (attack possibility). Similar we need to check if possible rogue filenames like \\some\thing\here could be harmfull. This is different from wget -O \\server\share\dir or similar. Heiko Herold -- -- PREVINET S.p.A. www.previnet.it -- Heiko Herold [EMAIL PROTECTED] -- +39-041-5907073 ph -- +39-041-5907472 fax > -Original Message- > From: Winter Christopher [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 28, 2003 8:50 AM > To: [EMAIL PROTECTED] > Subject: AW: Win32 binary without FTP vulnerability > > > Hello Heiko, > > in that case you'll lose the ability to write to network shares, > which don't have a ':' but normally a '/' in that place. > > Regards, > > Christopher > > -Ursprüngliche Nachricht- > Von: Herold Heiko [mailto:[EMAIL PROTECTED] > Gesendet am: Montag, 25. August 2003 15:46 > An: [EMAIL PROTECTED] > Betreff: RE: Win32 binary without FTP vulnerability > > However as a matter of fact that could still suffers from a > similar direct > drive access bug (instead of dot dot use driveletter:). I don't think > anybody ever check if in that case access to an absolute path > on another > drive would be possible or if that would be thwarted later by the file > renaming routine (which would change ':' to '@'). > > I've always wanted to implement a small additional path for > that but never > did it since I don't have a patched rogue ftp server handy to test it. > > What would be needed to be patched is has_insecure_name_p() > in fnmatch.c, > #ifdef WINDOWS check if the second character is ':' . > > Heiko >
RE: Win32 binary without FTP vulnerability
However as a matter of fact that could still suffers from a similar direct drive access bug (instead of dot dot use driveletter:). I don't think anybody ever check if in that case access to an absolute path on another drive would be possible or if that would be thwarted later by the file renaming routine (which would change ':' to '@'). I've always wanted to implement a small additional path for that but never did it since I don't have a patched rogue ftp server handy to test it. What would be needed to be patched is has_insecure_name_p() in fnmatch.c, #ifdef WINDOWS check if the second character is ':' . Heiko -- -- PREVINET S.p.A. www.previnet.it -- Heiko Herold [EMAIL PROTECTED] -- +39-041-5907073 ph -- +39-041-5907472 fax > -Original Message- > From: Doug Kaufman [mailto:[EMAIL PROTECTED] > Sent: Sunday, August 17, 2003 6:51 AM > To: Vesselin Peev > Cc: [EMAIL PROTECTED] > Subject: Re: Win32 binary without FTP vulnerability > > > On Sun, 17 Aug 2003, Vesselin Peev wrote: > > > I have previously looked at the same downloads. > > However, the security advisory is dated December 2002, > while the 1.8.2 > > version I downloaded from Heiko Herold's wget sport is > dated 2002/05/29. Is > > You need to download the 1.9 beta version. It is available there. > Doug > > > -- > Doug Kaufman > Internet: [EMAIL PROTECTED] >
Re: Win32 binary without FTP vulnerability
On Sun, 17 Aug 2003, Vesselin Peev wrote: > I have previously looked at the same downloads. > However, the security advisory is dated December 2002, while the 1.8.2 > version I downloaded from Heiko Herold's wget sport is dated 2002/05/29. Is You need to download the 1.9 beta version. It is available there. Doug -- Doug Kaufman Internet: [EMAIL PROTECTED]
Re: Win32 binary without FTP vulnerability
Hello, I have previously looked at the same downloads. However, the security advisory is dated December 2002, while the 1.8.2 version I downloaded from Heiko Herold's wget sport is dated 2002/05/29. Is this really the latest binary?The vulnerability exists in all versions prior to 1.8.2-4, but when typeing "wget -V" only 1.8.2 is displayed. -Vesko - Original Message - From: "Doug Kaufman" <[EMAIL PROTECTED]> To: "Vesselin Peev" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Sunday, August 17, 2003 6:37 AM Subject: Re: Win32 binary without FTP vulnerability > On Sun, 17 Aug 2003, Vesselin Peev wrote: > > > Where can I download the most recent binary for Win32 that is free > > of this vulnerability? All the places I've accessed that carry the > > Win32 binary say just 1.8.2, and many were last updated before the > > advisory date. > > Pointers to the latest Windows binaries can be found on the wget home > page: "http://wget.sunsite.dk/";. > Doug > > -- > Doug Kaufman > Internet: [EMAIL PROTECTED] > > >
Re: Win32 binary without FTP vulnerability
On Sun, 17 Aug 2003, Vesselin Peev wrote: > Where can I download the most recent binary for Win32 that is free > of this vulnerability? All the places I've accessed that carry the > Win32 binary say just 1.8.2, and many were last updated before the > advisory date. Pointers to the latest Windows binaries can be found on the wget home page: "http://wget.sunsite.dk/";. Doug -- Doug Kaufman Internet: [EMAIL PROTECTED]
