/#sh:user at host file names with "%" bug

Pavel Machek pavel at ucw.cz
Mon Jan 18 07:15:56 UTC 2010


On Sat 2010-01-16 00:41:00, Oswald Buddenhagen wrote:
> On Fri, Jan 15, 2010 at 08:32:01PM +0100, Janek Kozicki wrote:
> > 1. create files named 
> >      efekt_skali__0.15%.png
> >      efekt_skali__1.5%.png
> > 
> > 2. log in remotely to that host using /#sh:user at host
> > 
> > 3. observe wrong file names:
> >       efekt_skali__0.1593cf4fcng
> >       efekt_skali__1.593cf4fcng
> > 
> > pretty weird, huh?
> > 
> it's not just weird, it is a potentially exploitable security hole.

Well, /#sh is just a weird hack, and probably contains many similar
problems.

It should be documented that it is not safe to connect to untrusted
hosts.

(Plus it should be fixed, of course).

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html



More information about the mc-devel mailing list