Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 01 Oct 2014, 08:46
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Linux Distributions Update for Web Flaw
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [2 Posts]  
Author Message
chrismt


Joined: 21 Apr 2010
Posts: 255

PostPosted: Sat 04 Sep 2010, 09:51    Post subject:  Linux Distributions Update for Web Flaw
Subject description: Wget flaw
 

Does this apply for Puppy also?

http://www.pcworld.com/businesscenter/article/204828/linux_distributions_update_for_web_flaw.html
Back to top
View user's profile Send private message 
Pizzasgood


Joined: 04 May 2005
Posts: 6270
Location: Knoxville, TN, USA

PostPosted: Wed 06 Oct 2010, 22:03    Post subject:  

I think so. It says versions 1.12 and older, which includes the version used in Puppy 5.0.

It looks like how this works is when you run wget, it's possible for the webserver you download from to provide a different filename for the file than what you expect. This could potentially result in wget saving the file in an unexpected and possibly dangerous location. It normally can't overwrite an existing file unless you modify wget's settings or use a commandline flag to enable that, but if you don't already have a config file for wget, it could download a config file that tells it that it's allowed to overwrite files, which would make it a bit more dangerous.

I don't know if the filename provided can change the path though. If you are running wget from /tmp/lala, I doubt the server could direct wget to save the file into /root/.ssh/, for example. If I'm right about that, then this is mainly only dangerous if you run wget from your home directory (not a subdirectory thereof) which would allow it to download to the many optional (and possibly not yet existing) config files that various programs look for.

Another limitation is that I think wget doesn't mess with file permissions, meaning nothing downloaded would have the execute bit set. That makes it harder to exploit it by having something downloaded into, say /root/Startup, since IIRC Puppy ignores non-executable files in those sorts of directories. (Hmm, not sure about /etc/profile.d/ though.)

I wouldn't be too concerned about it.

_________________
Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib

Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 1 of 1 [2 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0447s ][ Queries: 12 (0.0044s) ][ GZIP on ]