Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH allows deletion of other users files...

From: Markus Friedl <markus () openssh com>
Date: Mon, 4 Jun 2001 23:08:38 +0200
wrong. openssh does since the 1st release.

On Mon, Jun 04, 2001 at 09:08:26AM -0700, Jason DiCioccio wrote:

zen-parse () gmx net wrote:


SSH allows deletion of other users files.
=========================================

You can delete any file on the filesystem you want...

as long as its called cookies.


Is this for OpenSSH, or SSH 1.2.x or?  Just kind of curious what 
version(s) of SSH this was tested on.

Also: SSH Version OpenSSH_2.3.0 green () FreeBSD org 20010321 -- That comes 
with FreeBSD 4.3-STABLE
is not vulnerable at first glance.  It does not appear to use /tmp files 
as yours does and therefore is not vulnerable.

Cheers,
-JD-

-- 
Jason DiCioccio - geniusj () bsd st - PGP Key @ http://bsd.st/~geniusj/pgpkey.asc
Previous By Date Next
Previous By Thread Next

Current thread: