[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: root access and dselect | ftp

Martin Bialasinski <martin@internet-treff.uni-koeln.de> writes:

> Yes, but there is no known way to force the ftpclient to do such
> things. The client doesn't accept any commands and any data it gets is,
> well, data, so it is not executed, just written to disk.

Well, there are a few exceptions, but they won't affect dselect+ftp.

When you do "mget *" from your ftp client, it asks the server for all
the files in the directory.  A malicious server could send back the
file "../etc/passwd", which some clients will happily download and
save.  You could also have files like ".profile" or ".exrc" in the
directory, which get returned and saved with no problems.  These files
will then contain the commands.  Just be careful, and do as little as
possible as root.

	 Carey Evans  http://home.clear.net.nz/pages/c.evans/

	  GNU GPL: "The Source will be with you... always."

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: