On Tue, 28 Sep 1999, 3APA3A wrote: > > Hello BUGTRAQ@SECURITYFOCUS.COM, > > mirror is a Perl script which is widely used for making copy of remote > FTP site. It's included in FreeBSD packages. There are security holes, > which allows overwrite local files from remote ftp site with > permissions of the user who uses mirror. Then retrieving directory > listing mirror doesn't check filename or directory name to contain > ".." or "\" This allows to create or overwrite files in directory > different from destination. > > To simply test this bug you can create " .." directory on your ftp > site and mirror your site. Mirror will create temporary files in > directory one level higher then specifyed. This way you couldn't > overwrite some useful information, but this may be used, for example, > to fill out / directory (if mirror is ran from root). > > But with putting little changes into you ftpd (for example making him > change '\' to '/' on listings) you can force mirror to overwrite _any_ > file with permissions of mirror user then he mirrors your ftp site. > > > Tested with: > $ mirror -v > $Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $ In my defense mirror was written back in the old days before they allowed nasty people to use the Internet :-( Anyhow. A simple fix to overcome this problem is to add the following to your mirror.defaults (and to any package that overrides this setting): name_mappings=s:\.\./:__/:g This should convert names like: " ../rot" to " __/rot"