lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: doubles at hush.com (doubles@...h.com)
Subject: unarj dir-transversal bug (../../../..)

On Mon, 11 Oct 2004 12:50:20 -0700 Chris Umphress <umphress@...il.com>
wrote:
>  chris@...is:~/test$ arj a test.arj ../../../usr/local/bin/test.txt

ya have ''.'' in yar PATH! bwahahahah!

>Apart from it removing one "../" from the filename I gave it, it
>worked exactly as I expected.

dis is powerfull security whole! im writting a exploit for it right now
in visual cobol!

czech this out::

http://www.security.nnov.ru/search/news.asp?binid=1320
http://www.securityfocus.com/bid/5835/info/
http://www.securityfocus.com/bid/7550/info/
http://rhn.redhat.com/errata/RHSA-2002-096.html
http://www.debian.org/security/2003/dsa-344
http://www.2600.com

doubles




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427


Powered by blists - more mailing lists