Giuseppe Iuculano
2009-Jul-22 05:42 UTC
[Secure-testing-team] Bug#537977: directory traversal bug
Package: znc Severity: grave Tags: security patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, znc 0.072 fixes an high-impact directory traversal bug | You can upload files to znc via /dcc send *status. The files will be saved in <datadir>/users/<user>/downloads/. | The code for this didn''t do any checking on the file name at all and thus allowed directory traversal attacks by | all znc users (no admin privileges required!). | By exploiting this bug, attackers could e.g. upload a new ssh authorized_keys file or upload a znc module which | lets everyone gain shell access. Anything is possible. | Again: ONLY A NORMAL USER ACCOUNT NEEDED, no admin privileges. THE ATTACKER GOT WRITE ACCESS TO ALL PLACES ZNC GOT WRITE ACCESS TO. Patch: http://znc.svn.sourceforge.net/viewvc/znc?view=rev&sortby=rev&sortdir=down&revision=1570 Cheers, Giuseppe. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkpmpsEACgkQNxpp46476aoy+QCfY1B9lHH5AQvFZjzPxF7R89GU 4E4An0agaSnyhOzttT9UpQ6MF8EgqCia =6hw9 -----END PGP SIGNATURE-----