Dec 262017
 
A modification for WWIV BBS's that fixes some security loop-holes.
File UNZIP.ZIP from The Programmer’s Corner in
Category BBS Files
A modification for WWIV BBS’s that fixes some security loop-holes.
File Name File Size Zip Size Zip Type
README 1494 766 deflated
UNZIP.C 3817 1069 deflated
UNZIP.EXE 9142 6056 deflated

Download File UNZIP.ZIP Here

Contents of the README file


ok, there have been some troubles recently with people uploading files
containing "pkunzip.exe", "..\dsz.com", and stuff like that. So, I
wrote this "front-end" to pkunzip to fix up security holes in both WWIV
and pkunzip.

The problems occur when the bbs (and pkunzip) allow users to extract
files that they shouldn't. This prevents the user from extracting
anything from a .ZIP file which contains "questionable" files. A
questionable file is one that contains a filename with ANY of the
following strings in it:

"PKZIP",
"PKUNZIP",
"COMMAND",
"DSZ",
"UNZIP",
"\\",
"/",
":",
">",
"<",
"|",
"..",

(All filenames are converted to uppercase before comparisons.)

You'll see in the source code that this stuff is in a nice list, so if
you encounter anything else you want to filter out, all you have to do
is add it to the list. You'll notice that since the files in here are
called "unzip", and "unzip" is in the list, that nobody can temp-extract
from this .zip file. Such is life.

To set this up, put "unzip.exe" in your main BBS dir, or anywhere in
your path. Then, in INIT, in the archive section for ".ZIP", change the
extract command to "unzip %1 %2".

You do not have to put the full pathname of unzip in init, and the unzip
program does not need the full pathname of pkunzip in it (although feel
free to put them in if you want), because unzip will not ever allow a
user to extract unzip or pkunzip in any case.


 December 26, 2017  Add comments

Leave a Reply