oss-sec mailing list archives

Re: ftp(1) can be made execute arbitrary commands by malicious webserver

From: Stuart Henderson <sthen () openbsd org>
Date: Tue, 28 Oct 2014 19:34:42 +0000

On 2014/10/28 17:50, Alistair Crooks wrote:

   The FTP client will follow HTTP redirects, and uses the part of the
   path after the last / from the last resource it accesses as the output
   filename (as long as -o is not specified).


BTW, I changed OpenBSD's ftp(1) a while ago to just use the "filename"
part of the original request, rather than taking a name from the
redirection target (this also matches what curl -O does) - it's a bit
less convenient in some cases, but it felt like a bad idea to allow the
output filename to be under control of the remote host (though I was
more thinking of the situation where someone might run it from their
home directory and write to something like .profile).

Current thread:

ftp(1) can be made execute arbitrary commands by malicious webserver Alistair Crooks (Oct 28)
- Re: ftp(1) can be made execute arbitrary commands by malicious webserver Stuart Henderson (Oct 28)
- Re: ftp(1) can be made execute arbitrary commands by malicious webserver cve-assign (Oct 28)