[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Security Breach Alert - CVS Home File Download Area Compromised
From: |
Bernd Petrovitsch |
Subject: |
RE: Security Breach Alert - CVS Home File Download Area Compromised |
Date: |
Wed, 26 Jan 2005 10:15:39 +0100 |
On Tue, 2005-01-25 at 22:45 -0800, Conrad T. Pino wrote:
> > From: Larry Jones
> > Many browsers will automagically unzip the file without removing the .gz
> > from the file name -- that may be all that's going on.
>
> I'd buy this concept if it were a consistent behavior.
>
> When I download a source "*.tar.gz" and corresponding "*.tar.gz.sig", I get
> file sizes consistent with values on download page and a PGP signature check
> reports a valid file.
>
> I'm still unable to download "*.gz.sig" for binaries with Internet Explorer
> 6 and the same download with Netscape 4.8 saves a zero length file.
Strange.
> Working your idea a bit further, the file received with Internet Explorer 6
> is the exact size and content of the uncompressed original which says "magic"
> is taking place but I'm not sure it's client side magic because I expect the
> client side "magic" to work against all servers and that's not currently true.
>
> I get "magic" behavior with:
Which files/URLs exactly?
> https://ccvs.cvshome.org/servlets/ProjectDocumentList?folderID=92
With the .gz Files?
> and many other binary areas on CVS home but no "magic" with
> https://ccvs.cvshome.org/servlets/ProjectDocumentList?folderID=0
With the .bz2 files?
> and no "magic" with
> http://jakarta.apache.org/site/binindex.cgi
> either.
The web server may send MIME-Types and similar stuff with the delivered
file. The browser may interpret the MIME-Type and do something on it
(automatically or after asking the user or not at all or ...).
---- snip ----
{5}wget -S
'https://ccvs.cvshome.org/files/documents/19/342/cvs-1.11.11-SunOS-5.8-i386.gz'
--10:09:46--
[...]
10 Content-Type: text/plain
11 Content-Encoding: x-gzip
---- snip ----
Assuming a "yes" on the above questions, I guess that IE (or whatever
HTTP-client you use) may handle .gz now and ignores .bz2.
And the client side behaviour should be configurable (for exactly the
reason you mentioned - checking md5 hashes) or you throw the HTTP-client
in the litter box.
Bernd
--
Firmix Software GmbH http://www.firmix.at/
mobil: +43 664 4416156 fax: +43 1 7890849-55
Embedded Linux Development and Services
- Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/24
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/24
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/24
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/24
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/24
- Re: Security Breach Alert - CVS Home File Download Area Compromised, Larry Jones, 2005/01/25
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/26
- RE: Security Breach Alert - CVS Home File Download Area Compromised,
Bernd Petrovitsch <=
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/26
- Re: Security Breach Alert - CVS Home File Download Area Compromised, Derek Price, 2005/01/26
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/26
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/26
- Re: Security Breach Alert - CVS Home File Download Area Compromised, Arno Schuring, 2005/01/26
- Re: Security Breach Alert - CVS Home File Download Area Compromised, Todd Denniston, 2005/01/26
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/26
- Re: Security Breach Alert - CVS Home File Download Area Compromised, Mark D. Baushke, 2005/01/26
- Re: Security Breach Alert - CVS Home File Download Area Compromised, Mark D. Baushke, 2005/01/26
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/26