Date: Thu, 10 Sep 1998 14:47:56 -0700 From: Jamie Lawrence <jal@ThirdAge.com> To: Aleph One <aleph1@dfw.net> Cc: security@FreeBSD.ORG Subject: Re: cat exploit Message-ID: <3.0.5.32.19980910144756.01d24c70@204.74.82.151> In-Reply-To: <Pine.SUN.4.01.9809101458470.13293-100000@dfw.nationwide.ne t> References: <17574.905449550@time.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:01 PM 9/10/98 -0500, Aleph One wrote: >> Rather, it described a symtom common to most VT100 compliant terminal >> emulators and something very clearly under the "well don't DO that then" >> category. It's nothing new at all and if you're not sure of the >> contents of a file, don't just blindly cat it to your screen. The >> same goes for any binary I might hand you - if I put up a file on >> an FTP site called ``megaspacewar.exe'' and you go and run it on your >> Windows box and it trojans you to death (or worse), who's fault is >> that? :-) Same basic issue. > >Whoa! If you dont know the contents of a file dont read it. If you dont >read a file you dont know its contents. Thats some really useful >suggestion. Aleph, you should know better. This 'problem' has been around for ages. Doing things that have been known to be dangerous for years as root is not something any Unix that I know of tries to protect against. >How about something more practical? Like being able to turn off this >"feature". "rm /bin/cat" Or, not cat'ing unknown files are root. Or as your own username, depending on your threat model. Or use a utility that strips control sequences. >> - Jordan > >Aleph One / aleph1@dfw.net -j To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.19980910144756.01d24c70>