mirror 2.9 hole

[wise () TOMCAT RU (3APA3A)]

Hello BUGTRAQ () SECURITYFOCUS COM,

mirror is a Perl script which is widely used for making copy of remote
FTP site. It's included in FreeBSD packages. There are security holes,
which   allows  overwrite  local  files  from  remote  ftp  site  with
permissions  of  the  user  who uses mirror. Then retrieving directory
listing  mirror  doesn't  check  filename or directory name to contain
".."  or  "\"  This  allows  to create or overwrite files in directory
different from destination.

To  simply  test  this  bug you can create " .." directory on your ftp
site  and  mirror  your  site.  Mirror  will create temporary files in
directory  one  level  higher  then  specifyed.  This way you couldn't
overwrite  some useful information, but this may be used, for example,
to fill out / directory (if mirror is ran from root).

But  with putting little changes into you ftpd (for example making him
change '\' to '/' on listings) you can force mirror to overwrite _any_
file with permissions of mirror user then he mirrors your ftp site.

Tested with:
$ mirror -v
$Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $

         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|úÄÅÓØ ÂÙÌ U õÞÅÎÙÊ ëÏÔ}
+-------------o66o--+ /
                    |/
ïÓÏÂÕÀ ÐÒÏÂÌÅÍÕ ÓÏÓÔÁ×ÌÑÅÔ ÁÌËÏÇÏÌÉÚÍ.  (ìÅÍ)