Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 19 May 2010 15:28:18 +0200
From: Ludwig Nussel <ludwig.nussel@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability

Solar Designer wrote:
> [...]
> Although I used a somewhat tricky approach in the above exploit,
> eventually making wget overwrite a file, it is also possible to mount
> attacks that do not rely on overwriting any files.  Many programs
> support optional startup/config files of fixed/known/guessable names
> that a malicious or compromised server could provide.  In fact, I've
> just demonstrated this attack against wget itself, but it could also
> work against another program.
> 
> Is this more convincing now?

Serving dot files is a neat trick indeed, I've overlooked that
paragraph in the ocert advisory. Nevertheless I'm not convinced it's
worth changing wget's default behavior in the proposed way. So I can
understand upstream here.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.