On Mon, Sep 23, 2013 at 05:37:47PM +0200,
Radovan Garabik wrote
a message of 55 lines which said:
> The "$2" is in quotes, and anyway it is invoked via execl(3), so I
> cannot find a way how to subvert the script - that is not to say I
> do not believe this is a real risk, I just do not see an
On Sun, Sep 22, 2013 at 06:57:47PM +0200, steph...@bortzmeyer.org wrote:
> Package: efingerd
> Version: 1.6.2.7+nmu1
> Severity: important
>
> Dear Maintainer,
>
> I'm afraid the default scripts in /etc/efingerd has a security
> weakness. They use $2 (the client IP address or host name) without
>
Package: efingerd
Version: 1.6.2.7+nmu1
Severity: important
Dear Maintainer,
I'm afraid the default scripts in /etc/efingerd has a security
weakness. They use $2 (the client IP address or host name) without
escaping it. Since the efingerd package runs by default *without* the
-n option, $2 will b
3 matches
Mail list logo
