Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Mon 22 Dec 2014, 03:52
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Linux Distributions Update for Web Flaw
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 1 of 1 Posts_count  
Author Message
chrismt


Joined: 21 Apr 2010
Posts: 255

PostPosted: Sat 04 Sep 2010, 09:51    Post_subject:  Linux Distributions Update for Web Flaw
Sub_title: Wget flaw
 

Does this apply for Puppy also?

http://www.pcworld.com/businesscenter/article/204828/linux_distributions_update_for_web_flaw.html
Back to top
View user's profile Send_private_message 
Pizzasgood


Joined: 04 May 2005
Posts: 6270
Location: Knoxville, TN, USA

PostPosted: Wed 06 Oct 2010, 22:03    Post_subject:  

I think so. It says versions 1.12 and older, which includes the version used in Puppy 5.0.

It looks like how this works is when you run wget, it's possible for the webserver you download from to provide a different filename for the file than what you expect. This could potentially result in wget saving the file in an unexpected and possibly dangerous location. It normally can't overwrite an existing file unless you modify wget's settings or use a commandline flag to enable that, but if you don't already have a config file for wget, it could download a config file that tells it that it's allowed to overwrite files, which would make it a bit more dangerous.

I don't know if the filename provided can change the path though. If you are running wget from /tmp/lala, I doubt the server could direct wget to save the file into /root/.ssh/, for example. If I'm right about that, then this is mainly only dangerous if you run wget from your home directory (not a subdirectory thereof) which would allow it to download to the many optional (and possibly not yet existing) config files that various programs look for.

Another limitation is that I think wget doesn't mess with file permissions, meaning nothing downloaded would have the execute bit set. That makes it harder to exploit it by having something downloaded into, say /root/Startup, since IIRC Puppy ignores non-executable files in those sorts of directories. (Hmm, not sure about /etc/profile.d/ though.)

I wouldn't be too concerned about it.

_________________
Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib

Back to top
View user's profile Send_private_message Visit_website 
Display_posts:   Sort by:   
Page 1 of 1 Posts_count  
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » Off-Topic Area » Security
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0390s ][ Queries: 12 (0.0031s) ][ GZIP on ]