Bekijk Volledige Versie : Re: Directory traversal vulnerabilities in several archivers processing

Stephen Samuel
19/12/02, 22:36
It's not always obvious that an archive shouldn't be trusted --
for example, the breakins at the BSD and Sendmail sites.

Trusting directory traversal strings (absolute paths and ../) should
require an explicit request on the part of the user. Just because a
user 'should' be wary of a trojan archive doesn't mean that they
always will be.

Andrew Kopp wrote:
> And to those who extract an un-trusted archive and set the "don't prompt
> me" flag, you really need a lesson in 'basic' (very obvious too!)
> security practices.

Stephen Samuel +1(604)876-0426 samuel@bcgreen.com
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.