Exploiting Wildcards On Linux/Unix 215
An anonymous reader writes: DefenseCode researcher Leon Juranic found security issues related to using wildcards in Unix commands. The topic has been talked about in the past on the Full Disclosure mailing list, where some people saw this more as a feature than as a bug. There are clearly a number of potential security issues surrounding this, so Mr. Juranic provided five actual exploitation examples that stress the risks accompanying the practice of using the * wildcard with Linux/Unix commands. The issue can be manifested by using specific options in chown, tar, rsync etc. By using specially crafted filenames, an attacker can inject arbitrary arguments to shell commands run by other users — root as well.
Re:Question... -- ? (Score:5, Funny)
I might start using ./ a lot more now.
So, you learned about ./ on /.?
Re:Question... -- ? (Score:5, Funny)
after swearing at my terminal for a while before resorting to reading the rm man page.
I find that half the time the swearing comes after trying to read the man page. Then it's time to fire up the old Google...
Use of malicious filenames is at least 30 yrs old (Score:4, Funny)
Back in '83, a friend challenged me to remove a file name "-rf *, without causing collateral damage.