[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)
- To: Full-disclosure <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)
- From: Chris Umphress <umphress@xxxxxxxxx>
- Date: Mon, 11 Oct 2004 20:30:00 -0700
> evil@sheep:~$ unarj x test.arj
> ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [27 Jun 2004]
>
> Processing archive: test.arj
> Archive created: 2004-10-12 01:15:49, modified: 2004-10-12 01:15:49
> usr/bin/namei, Create this directory? Yes
> Extracting ../usr/bin/namei to usr/bin/namei OK
> 1 file(s)
>
> so it's not taking all the ../ into account and also an .arj created with
> full path is created in $PWD. arj + unarj are both v3.10.
Good point. I tried extracting again with 3.10, and it only leaves the
one "../" on the front.
> ...somehow i don't expect programs to mess with /usr. not as a user and
> not as root.
I just picked /usr, it could have been /etc, /var or any other
standard directory that every *nix distribution has. Regardless, if I
try to make unarj write to a directory that I don't have the
neccessary permissions for, it asks me to pick an alternate location
to extract to.
> /me wonders about which version of arj/unarj "doubles" is talking about....
I don't see a problem, but it would be interesting to see which
version "doubles" is refering to.
--
Chris Umphres <http://daga.dyndns.org/>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html