|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)
doubles
hush.com
Date: Tue Oct 12 2004 - 02:49:53 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 11 Oct 2004 12:50:20 -0700 Chris Umphress <umphressgmail.com>
wrote:
> chrischris:~/test$ arj a test.arj ../../../usr/local/bin/test.txt
ya have ''.'' in yar PATH! bwahahahah!
>Apart from it removing one "../" from the filename I gave it, it
>worked exactly as I expected.
dis is powerfull security whole! im writting a exploit for it right now
in visual cobol!
czech this out::
http://www.security.nnov.ru/search/news.asp?binid=1320
http://www.securityfocus.com/bid/5835/info/
http://www.securityfocus.com/bid/7550/info/
http://rhn.redhat.com/errata/RHSA-2002-096.html
http://www.debian.org/security/2003/dsa-344
http://www.2600.com
doubles
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]