oss-sec mailing list archives
Re: ftp(1) can be made execute arbitrary commands by malicious webserver
From: Stuart Henderson <sthen () openbsd org>
Date: Tue, 28 Oct 2014 19:34:42 +0000
On 2014/10/28 17:50, Alistair Crooks wrote:
The FTP client will follow HTTP redirects, and uses the part of the path after the last / from the last resource it accesses as the output filename (as long as -o is not specified).
BTW, I changed OpenBSD's ftp(1) a while ago to just use the "filename" part of the original request, rather than taking a name from the redirection target (this also matches what curl -O does) - it's a bit less convenient in some cases, but it felt like a bad idea to allow the output filename to be under control of the remote host (though I was more thinking of the situation where someone might run it from their home directory and write to something like .profile).
Current thread:
- ftp(1) can be made execute arbitrary commands by malicious webserver Alistair Crooks (Oct 28)
- Re: ftp(1) can be made execute arbitrary commands by malicious webserver Stuart Henderson (Oct 28)
- Re: ftp(1) can be made execute arbitrary commands by malicious webserver cve-assign (Oct 28)