[Bug 1998] Arbitrary command execution using SCP

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat May 19 15:18:43 EST 2012


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2012-05-19 15:18:43 EST ---
the client side scp can't escape the filenames because it does not know
what shell is on the other end or what its quoting rules are (and
"fixing" this on the client side doesn't help security anyway).

the command gets run by the remote shell regardless of what the remote
scp does (you can delete scp from the remote side entirely and it'll
still happen).  If you want to prevent this, you need to enforce it in
the remote shell eg with a restricted shell of some type (scponly and
rssh are example I'm aware of, but I can't vouch for them).

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list