Re: NNCP path traversal attack

public inbox for nncp-devel@lists.stargrave.org
Atom feed

From: Sergey Matveev <stargrave@stargrave•org>
To: nncp-devel@lists.cypherpunks.su
Subject: Re: NNCP path traversal attack
Date: Fri, 19 Sep 2025 16:25:30 +0300	[thread overview]
Message-ID: <aM1ZykOooMiIQ1XJ@stargrave.org> (raw)
In-Reply-To: <CAO-d-4p-xZjB=zAri=y-H-KPziVYGwnC70zKQ8vsEHzJTvDGsg@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 655 bytes --]

Greetings!

*** Eugene Medvedev [2025-09-19 07:46]:
>As it currently stands, NNCP is vulnerable to path traversal attacks with
>freq and file functions: Despite the requirement for both to supply full path
>in configuration, both types of packets will accept and act upon paths
>containing "..".

Unfortunately it is so indeed. Shame on me for missing that check!
Thanks for the patch! I merged it into develop branch. May I add you to
the THANKS file? If yes, should I add your email there? After that I
will make a new release.

-- 
Sergey Matveev (http://www.stargrave.org/)
LibrePGP: 12AD 3268 9C66 0D42 6967  FD75 CB82 0563 2107 AD8A

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 265 bytes --]

next prev parent reply	other threads:[~2025-09-19 13:25 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-19  4:46 NNCP path traversal attack Eugene Medvedev
2025-09-19  6:28 ` Jonathan Lane
2025-09-19  6:43   ` Eugene Medvedev
2025-09-19 12:02 ` John Goerzen
2025-09-19 12:11   ` Eugene Medvedev
2025-09-19 12:04 ` John Goerzen
2025-09-19 12:31   ` Eugene Medvedev
2025-09-19 13:25 ` Sergey Matveev [this message]
2025-09-19 13:30   ` Eugene Medvedev