[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fwd: Command execution by creating file.
|
From: |
Greg Wooledge |
|
Subject: |
Re: Fwd: Command execution by creating file. |
|
Date: |
Wed, 21 Jun 2023 07:56:21 -0400 |
On Wed, Jun 21, 2023 at 09:25:02AM +0530, LitHack wrote:
> Sorry instead of alias we have to use the function.
>
> Corrected command: mkdir dir;cd dir;<>file;file()bash;*
Even if we correct your "corrected" code for you, the basic issue
remains: what "bug" are you claiming exists here? How does the actual
result differ from your expected result?
If your issue is "There is a potential security hole -- I could set up
a directory with malicious filenames inside it, and then wait for the
admin to cd to my directory and type * and Enter, and then my trap
shall be sprung! I'll have my revenge!!"
... then yes, we know. This is certainly a possible thing that you could
do. The problem with your plan is that it relies on an administrator
doing a sequence of improbable things to spring the trap.
Just don't press * and Enter at the shell prompt. Like, ever. Then there
won't be an issue. There are lots of commands you should never type.
This is just one of many.
If you failed to pick up the hint I dropped earlier, there is an old joke
that goes like this:
A man walks into the doctor's office. "Doctor!" he says. "It hurts when
I bend my arm like this!"
The doctor replies, "Then don't bend it like that."