| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANAyTpjo9whMUSrAw5m_w0DC-qbLVFJhwzu-2SUQtmK43sDnJw@mail.gmail.com> Date: Sun, 29 Jun 2014 10:12:20 +0200 From: Nico Le Moin <nicolemoin01@...il.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] Back To The Future: Unix Wildcards Gone Wild This happens on f5 appliances: the tomcat user can upload files to /shared/images , then this root process periodically scans the directory looking for firmware. Shell expansion causes privesc here :p Also, there are no csrf tokens in the firmware upload form. vdbs can go wild now :p On Sat, Jun 28, 2014 at 11:29 PM, Daniel Miller <bonsaiviking@...il.com> wrote: > On Sat, Jun 28, 2014 at 5:06 AM, fulldisclosure < > fulldisclosure@...lution-hosting.eu> wrote: > > > to be honest, bash shouldn't expand * to "file1 file2 file3 -rf..." it > > should do it to " 'file1' 'file2' 'file3' '\-rf'..." instead, with all > > meta chars escaped properly. > > > > But this breaks my directory metadata scheme: important directories contain > a file named "-i", unimportant ones have "-f". > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists