[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] [oCERT-2010-001] multiple http client unexpected download filename vulnerability
From:       Ludwig Nussel <ludwig.nussel () suse ! de>
Date:       2010-05-19 13:28:18
Message-ID: 201005191528.18818.ludwig.nussel () suse ! de
[Download RAW message or body]

Solar Designer wrote:
> [...]
> Although I used a somewhat tricky approach in the above exploit,
> eventually making wget overwrite a file, it is also possible to mount
> attacks that do not rely on overwriting any files.  Many programs
> support optional startup/config files of fixed/known/guessable names
> that a malicious or compromised server could provide.  In fact, I've
> just demonstrated this attack against wget itself, but it could also
> work against another program.
> 
> Is this more convincing now?

Serving dot files is a neat trick indeed, I've overlooked that
paragraph in the ocert advisory. Nevertheless I'm not convinced it's
worth changing wget's default behavior in the proposed way. So I can
understand upstream here.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic