/#sh:user at host file names with "%" bug

Oswald Buddenhagen ossi at kde.org
Fri Jan 15 23:41:00 UTC 2010


On Fri, Jan 15, 2010 at 08:32:01PM +0100, Janek Kozicki wrote:
> 1. create files named 
>      efekt_skali__0.15%.png
>      efekt_skali__1.5%.png
> 
> 2. log in remotely to that host using /#sh:user at host
> 
> 3. observe wrong file names:
>       efekt_skali__0.1593cf4fcng
>       efekt_skali__1.593cf4fcng
> 
> pretty weird, huh?
> 
it's not just weird, it is a potentially exploitable security hole.



More information about the mc-devel mailing list