Bug#537977: directory traversal bug
Giuseppe Iuculano schrieb: Package: znc Severity: grave Tags: security patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, znc 0.072 fixes an high-impact directory traversal bug | You can upload files to znc via /dcc send *status. The files will be saved in datadir/users/user/downloads/. | The code for this didn't do any checking on the file name at all and thus allowed directory traversal attacks by | all znc users (no admin privileges required!). | By exploiting this bug, attackers could e.g. upload a new ssh authorized_keys file or upload a znc module which | lets everyone gain shell access. Anything is possible. | Again: ONLY A NORMAL USER ACCOUNT NEEDED, no admin privileges. THE ATTACKER GOT WRITE ACCESS TO ALL PLACES ZNC GOT WRITE ACCESS TO. Patch: http://znc.svn.sourceforge.net/viewvc/znc?view=revsortby=revsortdir=downrevision=1570 Hello, yes I already talked about that with upstream. 0.072 itself is b0rked (broken webadmin), so this has to wait. But I will create in the next days fixed versions for stable-security etc. Cheers. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#537977: directory traversal bug
Package: znc Severity: grave Tags: security patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, znc 0.072 fixes an high-impact directory traversal bug | You can upload files to znc via /dcc send *status. The files will be saved in datadir/users/user/downloads/. | The code for this didn't do any checking on the file name at all and thus allowed directory traversal attacks by | all znc users (no admin privileges required!). | By exploiting this bug, attackers could e.g. upload a new ssh authorized_keys file or upload a znc module which | lets everyone gain shell access. Anything is possible. | Again: ONLY A NORMAL USER ACCOUNT NEEDED, no admin privileges. THE ATTACKER GOT WRITE ACCESS TO ALL PLACES ZNC GOT WRITE ACCESS TO. Patch: http://znc.svn.sourceforge.net/viewvc/znc?view=revsortby=revsortdir=downrevision=1570 Cheers, Giuseppe. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkpmpsEACgkQNxpp46476aoy+QCfY1B9lHH5AQvFZjzPxF7R89GU 4E4An0agaSnyhOzttT9UpQ6MF8EgqCia =6hw9 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org