at Thu, Dec 23, 1999 at 11:31:53AM +1100 suid wrote: > 3) SITE ZIPCHK command: > > The SITE command ZIPCHK can be used to check the validity of a ZIP file on a server. > Presumably this is so you can make sure the ZIP file you are about to download is valid > and free from error. The way this works is thus: > > glFtpD user does: > ftp> quote SITE ZIPCHK XXXXX.ZIP > > glFtpD then runs a shell script with XXXXX.ZIP as argv[1] or 2. > which calls /bin/unzip etc etc. > > If a user is able to create a filename with ";" characters in the name, they can > execute arbitrary code on the remote server with the privelege level of the server. Easy fix should be override the command in glftpd.conf (or equivalent) with something like: site_cmd ZIPCHK TEXT /ftp-data/misc/disabled Wich causes a textfile to be displayed rather then a command executed. -- //Per .,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,., Per Lejontand, Student of Computer science, Admin @ {acc,ltlab}.umu.se Phone: +46-70-2163191 *** Stay away from hurricanes for a while.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:16 PDT