[New-bugs-announce] [issue23130] Tools/scripts/ftpmirror.py allows overwriting arbitrary files on filesystem
Guido Vranken
report at bugs.python.org
Tue Dec 30 02:56:34 CET 2014
New submission from Guido Vranken:
Tools/scripts/ftpmirror.py does not guard against arbitrary path constructions, and, given a connection to a malicious FTP server (or a man in the middle attack), it is possible that any file on the client's filesystem gets overwritten. Ie,. if we suppose that ftpmirror.py is run from a "base directory" /home/xxx/yyy, file creations can occur outside this base directory, such as in /tmp, /etc, /var, just to give some examples.
I've constructed a partial proof of concept FTP server that demonstrates directory and file creation outside the base directory (the directory the client script was launched from). I understand that most of the files in Tools/scripts/ are legacy applications that have long been deprecated. However, if the maintainers think these applications should be safe nonetheless, I'll be happy to construct and submit a patch that will remediate this issue.
Guido Vranken
Intelworks
----------
components: Demos and Tools
messages: 233189
nosy: Guido
priority: normal
severity: normal
status: open
title: Tools/scripts/ftpmirror.py allows overwriting arbitrary files on filesystem
type: security
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23130>
_______________________________________
More information about the New-bugs-announce
mailing list