[Secure-testing-team] Bug#537977: directory traversal bug
Giuseppe Iuculano
giuseppe at iuculano.it
Wed Jul 22 05:42:29 UTC 2009
Package: znc
Severity: grave
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
znc 0.072 fixes an high-impact directory traversal bug
| You can upload files to znc via /dcc send *status. The files will be saved in <datadir>/users/<user>/downloads/.
| The code for this didn't do any checking on the file name at all and thus allowed directory traversal attacks by
| all znc users (no admin privileges required!).
| By exploiting this bug, attackers could e.g. upload a new ssh authorized_keys file or upload a znc module which
| lets everyone gain shell access. Anything is possible.
| Again: ONLY A NORMAL USER ACCOUNT NEEDED, no admin privileges. THE ATTACKER GOT WRITE ACCESS TO ALL PLACES ZNC GOT WRITE ACCESS TO.
Patch: http://znc.svn.sourceforge.net/viewvc/znc?view=rev&sortby=rev&sortdir=down&revision=1570
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpmpsEACgkQNxpp46476aoy+QCfY1B9lHH5AQvFZjzPxF7R89GU
4E4An0agaSnyhOzttT9UpQ6MF8EgqCia
=6hw9
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list