GNU bash, version 4.2.8(1)-release (x86_64-pc-linux-gnu)
$ bash --version
GNU bash, version 4.0.28(1)-release (i386-pc-solaris2.8)
Bash fails to normalize path starting starting with "//" and will consider "/" and "//" to be different paths:
$ cd /tmp && pwd
/tmp
$ cd //tmp && pwd
//tmp
Scripts which do path normalization by:
normalDir=`cd "${dirToNormalize}";pwd`and check it against blacklists are vulnerable.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
