/#sh:user at host file names with "%" bug
Oswald Buddenhagen
ossi at kde.org
Fri Jan 15 23:41:00 UTC 2010
On Fri, Jan 15, 2010 at 08:32:01PM +0100, Janek Kozicki wrote:
> 1. create files named
> efekt_skali__0.15%.png
> efekt_skali__1.5%.png
>
> 2. log in remotely to that host using /#sh:user at host
>
> 3. observe wrong file names:
> efekt_skali__0.1593cf4fcng
> efekt_skali__1.593cf4fcng
>
> pretty weird, huh?
>
it's not just weird, it is a potentially exploitable security hole.
More information about the mc-devel
mailing list