PDA

Bekijk Volledige Versie : Re: Directory traversal vulnerabilities in several archivers processing



Stephen Samuel
19/12/02, 23:36
It's not always obvious that an archive shouldn't be trusted --
for example, the breakins at the BSD and Sendmail sites.

Trusting directory traversal strings (absolute paths and ../) should
require an explicit request on the part of the user. Just because a
user 'should' be wary of a trojan archive doesn't mean that they
always will be.


Andrew Kopp wrote:
.....
> And to those who extract an un-trusted archive and set the "don't prompt
> me" flag, you really need a lesson in 'basic' (very obvious too!)
> security practices.

--
Stephen Samuel +1(604)876-0426 samuel@bcgreen.com
http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.