NTP BUG 2938: ntpq saveconfig command allows dangerous characters in filenames

Last update: April 22, 2024 18:49 UTC (7e7bd5857)


Resolved 4.2.8p6 19 Jan 2016
References Bug 2938 AV:N/AC:L/Au:S/C:N/I:P/A:N


The ntpq saveconfig command does not do adequate filtering of special characters from the supplied filename. Note well: The ability to use the saveconfig command is controlled by the restrict nomodify directive, and the recommended default configuration is to disable this capability. If the ability to execute a saveconfig is required, it can easily (and should) be limited and restricted to a known small number of IP addresses.



This weakness was discovered by Jonathan Gardner of Cisco ASIG.