at Thu, Dec 23, 1999 at 11:31:53AM +1100 suid wrote:
> 3) SITE ZIPCHK command:
>
> The SITE command ZIPCHK can be used to check the validity of a ZIP file on a server.
> Presumably this is so you can make sure the ZIP file you are about to download is valid
> and free from error. The way this works is thus:
>
> glFtpD user does:
> ftp> quote SITE ZIPCHK XXXXX.ZIP
>
> glFtpD then runs a shell script with XXXXX.ZIP as argv[1] or 2.
> which calls /bin/unzip etc etc.
>
> If a user is able to create a filename with ";" characters in the name, they can
> execute arbitrary code on the remote server with the privelege level of the server.
Easy fix should be override the command in glftpd.conf (or equivalent) with
something like:
site_cmd ZIPCHK TEXT /ftp-data/misc/disabled
Wich causes a textfile to be displayed rather then a command executed.
--
//Per
.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,
Per Lejontand, Student of Computer science, Admin @ {acc,ltlab}.umu.se
Phone: +46-70-2163191
*** Stay away from hurricanes for a while.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:16 PDT