mirror of
https://github.com/znc/znc.git
synced 2026-03-28 17:42:41 +01:00
ce4f4c5cf7
You can upload files to znc via /dcc send *status. The files will be saved in <datadir>/users/<user>/downloads/. The code for this didn't do any checking on the file name at all and thus allowed directory traversal attacks by all znc users (no admin privileges required!). By exploiting this bug, attackers could e.g. upload a new ssh authorized_keys file or upload a znc module which lets everyone gain shell access. Anything is possible. Again: ONLY A NORMAL USER ACCOUNT NEEDED, no admin privileges. THE ATTACKER GOT WRITE ACCESS TO ALL PLACES ZNC GOT WRITE ACCESS TO. git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1570 726aef4b-f618-498e-8847-2d620e286838
22 KiB
22 KiB