Re: [Full-Disclosure] Administrivia: List Compromised due to Mailman Vulnerability
From: Steve Blass (sblass_at_asu.edu)
Date: 02/09/05
- Previous message: Adam Laurie: "[Full-Disclosure] yet another DSL modem backdoor - Mentor (Conexant)"
- In reply to: John Cartwright: "[Full-Disclosure] Administrivia: List Compromised due to Mailman Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 09 Feb 2005 12:45:19 -0700 To: full-disclosure@lists.netsys.com
John Cartwright wrote:
>...
>
>Subscriber addresses and passwords have been compromised.
>
d'0h!
>...
>
>SLASH = '/'
>
>def true_path(path):
> "Ensure that the path is safe by removing .."
> parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
> return SLASH.join(parts)[1:]
>
>
>
That's an improvement, but better is to extract and validate the tail of
the path to your repository and then anchor the root where it belongs.
Fully disclosing that FD was compromised was a stand up thing to do
though. Good job!
-
Steve
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Adam Laurie: "[Full-Disclosure] yet another DSL modem backdoor - Mentor (Conexant)"
- In reply to: John Cartwright: "[Full-Disclosure] Administrivia: List Compromised due to Mailman Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
