---------- Forwarded Message ----------
Subject: solution to wu-ftpd + tar program execution Date: Friday 05 September 2003 16:14 From: Georgi Guninski <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] This has been known for a long time: http://www.security-express.com/archives/bugtraq/1999-q4/0405.html There is an easy solution to this which don't cut functionality: in ftpconversions place " -- " before "%s" in every line which has tar (probably on all lines is a good idea). " -- " terminates the arguments passed to tar, so programs can't be injected. linux distributions were notified about the solution, debian released an advisory at: http://www.debian.org/security/2003/dsa-377 georgi ------------------------------------------------------- -- pub 4096R/0E4BD0AB 2003-03-18 <keyserver.bu.edu> 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB ============================================================================ A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html ============================================================================
