Possible Security issue with .zip files

I found a potential issue with expanding .zip files. In the cases I've seen, the .zip files were created on Windows using Winzip. After copying the files to my OS X system, I double-clicked the file to expand the files and folders. (In this case the zip files was a Ruby on Rails web application.) In looking at the files in the terminal, all the files had wide open permission - 777 - all users had full access to all files!
I had to go through and reset the permissions (755 for folders, 644 for files), and had to reset the execute permission on the Ruby script files.
I'm going to test some more with more zip files, but this could be a potentially huge problem.
Also, I noticed that the files had the "extended attribute" of com.apple.quarantine set on each file - which I assume is being set as a function of being downloaded via Safari from my webmail (Gmail) account. The .zip file had this attribute set, and when expanded it propagated to each file and folder.

The files don't have any security on them from windows - windows doesn't know anything about unix permissions.
I've compressed other files and folders on Windows and decompressed them in Tiger without a problem. I would think, at a minimum, the files would inherit the permissions of the parent folder I expanded them into.

Similar Messages

  • Security Issues with uploading files into APEX - How is anti-virus handled?

    Hi APEXers!
    We have been using APEX 3 for some time and are now migrating to APEX 4. We have a request for a new application that will require uploading spreadsheets. From other developers, I know it can be done in a few ways. The only thing we have done before is limitied - storing them in BLOBs.
    With the Websheets in APEX 4, users could load them directly into the database.
    But the anti-virus issue has always been unclear. For the apps that we are allowing to upload to BLOBs, they are small user, internal apps so we hope that our enterprise desktop software will stop a bad file before it gets uploaded.
    We have gotten some questions about allowing outside-our-network people to upload spreadsheets or maybe even the public. So far, our security people have just said no - but I wondered what everyone else is doing?
    Are there any White Papers or articles on this? My general impression is that anti-virus software has to be installed at the server level to deal with this.
    If anyone can provide some guidance, I would appreciate it as I have to figure out what to tell the development team requesting to do this.

    Do you have to take excel format? CSV would be a lot safer.
    You might take inspiration from this:
    http://stackoverflow.com/questions/3363767/how-do-you-virus-scan-a-file-being-uploaded-to-your-java-webapp-as-it-streams

  • Possible Security Issues with Quicktime?

    Hi all,
    I keep a pretty close security watch on my computer and what is happening in the background. I have Norton NAV2008 and Spy Sweeper running and I am always going into Norton to see what the activity list has to say.
    Quicktime (qttask.exe) makes frequent and large changes to my Windows start-up files through modification of the registry settings.
    I do not like to see programs making these changes, as most malware and worms do this type of thing.
    Is this normal activity for Quick Time or should I be worried here?

    Ken,
    Thanks for answering. Norton just reports the activity as "qttask.exe has made 79 changes to your Windows Start up Files". It gives it a low priority and didn't come up as a "pop up" that required action. It seems like it knows that Quicktime is a program that sometimes does this and it is just reporting it as such.
    As I said, I have no idea whether QT does these changes on a regular basis as part of its program, hence my question here. Yes, QT is used by Itunes and that is what I exclusively use it for. Itunes doesn't work without it apparently, as I noticed the file manipulation and previously removed Quicktime. Then when I tried to use Itunes, it squawked and said QT wan't installed.
    Thanks again for the reply.

  • How can I resolve as possible security issue with unauthorized computers through QuickTime , as a diagnostic and screen shots show evidence of a Mac computer and I don't have one?

    II'm trying to resolve an issue that I have with my iPhone 4s through QuickTime. I think it might be an embedded mms that might broadcasts my info as well as allows remote access sometimes. Any answers or similar activity?, I can support with screenshots of public information . This shows in my emIl accounts as well.

    Is your phone jailbroken? If it is not, you're probably not seeing what you think you're seeing. If your phone hasn't been jailbroken, it's certainly not being controlled remotely. What do you mean by an "embedded mms"? Are you sharing an Apple ID with anyone? Or could someone have gotten access to your Apple ID information?

  • Security issue with unlocking my iPhone 4?

    I'm not sure if anyone here will be able to help me but I am trying to get my iPhone unlocked with AT&T. I bought my iPhone on contract through AT&T in December 2010. My account is in good standing. I paid my ETF, it's technically eligible to be unlocked. I called AT&T on April 9th for an unlock and it's now April 19th and still no wordd from them. I've called several times and they won't tell me what's going on other than that "there is a security issue with unlocking my iPhone and the issue is with Apple, but they are working on it." From my understanding, all AT&T needs is the unlock code to enter into the system and unlock it from there. I don't know what security issues could possibly exist that would create a problem. The only thing I can think of is that when I orginally bought my iPhone it turned out to be a lemon and had to get it replaced the day after I bought it. I did this through an Apple store since it was around Christmas. The IMEI number on my phone doesn't match the one AT&T has on file, but that shouldn't matter? I gave them the right IMEI number that is on my current phone. Does anyone know what "security issues" can exist when it comes to unlocking an iPhone 4?

    Don't stress over the words used by the customer service people at AT&T. Half of them don't know what they're talking about more than half the time.  You are probably correct in that it has something to do with their database being inaccurate. 
    Give it a few days, then contact them again and ask for it to be escalated.
    Ignor rNair. The idea that Apple made it mandatory for AT&T to do anything is complete and total bunk. (S)He has no idea what (s)he's talking about

  • Severe Security Issue with Sharing Permissions and Windows

    I recently discovered a severe Security issue with the windows sharing an permission settings:
    I have two users, an admin user and a parental controlled user. On my mac mini, i have a external harddrive connected. On the harddrive, i have three folders, Itunes, Iphoto (Package) and a Temp Folder. I want to share the Harddrive RW for the admin, but only R for the parental user. But the Temp folder should be accessible for RW for the parental as well.
    1. I set the Drive checkbox "ignore ownership" off.
    2. I set the permissions of the drive to admin RW, parental R and Everyone to "no access"
    3. I apply to enclosed Items
    4. I set the permission of the Temp folder to admin RW, parental RW and Everyone to "no access"
    5. I apply to enclosed Items
    6. I go to "File Sharing" in the Preferences and activate SMB sharing for both users
    7. I delete all previous shares
    8. I add the Disk and use the proposed permissions which are admin RW, parental R, Everyone "no access"
    9. I add the Temp folder and use the proposed permissions which are admin RW, parental RW, Everyone "no access" - Funny, there is a new Group called "Temp" created which has custom access on both sharepoints
    10. I connect to the mac over a Windows machine (NTLM auth set appropriatly). Now I try to create a folder on the root of the Disk share, I get a denied message.
    BUT WHEN I GO INTO A SUBFOLDER (eg. ITUNES or IPHOTO), WHICH HAS ALSO JUST "R" PERMISSION FOR THE PARENTAL USER, I AM ABLE TO RW, DELETE AND DO EVERYTHING!!!
    TO RECAPITULATE: THE SHARING PERMISSIONS ARE "R", AND THE FILE PERMISSIONS IN THE RESPECTIVE FOLDERS FOR THE RESPECTIVE USER ARE ALSO JUST "R". BUT THE USER CAN DO EVERYTHING IN THE SUBFOLDERS!!!

    I recently discovered a severe Security issue with the windows sharing an permission settings:
    I have two users, an admin user and a parental controlled user. On my mac mini, i have a external harddrive connected. On the harddrive, i have three folders, Itunes, Iphoto (Package) and a Temp Folder. I want to share the Harddrive RW for the admin, but only R for the parental user. But the Temp folder should be accessible for RW for the parental as well.
    1. I set the Drive checkbox "ignore ownership" off.
    2. I set the permissions of the drive to admin RW, parental R and Everyone to "no access"
    3. I apply to enclosed Items
    4. I set the permission of the Temp folder to admin RW, parental RW and Everyone to "no access"
    5. I apply to enclosed Items
    6. I go to "File Sharing" in the Preferences and activate SMB sharing for both users
    7. I delete all previous shares
    8. I add the Disk and use the proposed permissions which are admin RW, parental R, Everyone "no access"
    9. I add the Temp folder and use the proposed permissions which are admin RW, parental RW, Everyone "no access" - Funny, there is a new Group called "Temp" created which has custom access on both sharepoints
    10. I connect to the mac over a Windows machine (NTLM auth set appropriatly). Now I try to create a folder on the root of the Disk share, I get a denied message.
    BUT WHEN I GO INTO A SUBFOLDER (eg. ITUNES or IPHOTO), WHICH HAS ALSO JUST "R" PERMISSION FOR THE PARENTAL USER, I AM ABLE TO RW, DELETE AND DO EVERYTHING!!!
    TO RECAPITULATE: THE SHARING PERMISSIONS ARE "R", AND THE FILE PERMISSIONS IN THE RESPECTIVE FOLDERS FOR THE RESPECTIVE USER ARE ALSO JUST "R". BUT THE USER CAN DO EVERYTHING IN THE SUBFOLDERS!!!

  • Privacy/Security Issue with Adobe Flash 10

    Not sure if anyone has noticed this or not, but there is a
    bizarre (if minor) privacy/security issue with Adobe Flash Player
    10. I came across it while attempting to upload a file to Flickr.
    Previous versions of AFP do not exhibit this problem.
    Specifics: using Firefox 3.x, Vista.
    The problem: When Flickr calls the "open file" dialogue in
    Flash 10 (in order to upload files) via the "Upload Photos and
    Videos" link, at the bottom of the dialogue, to the right of the
    "File Name" box, sits a common UI element that brings up a dropdown
    menu of what appear to be (or at least are supposed to be) recently
    viewed or downloaded or accessed files. Actually I'm not sure how
    Flash 10 compiles or accesses this list of files, but at any rate,
    a list of files come up.
    The problem is that, as far as I can tell, the list of files
    that come up reference a long list of files, some that are very old
    and that no longer exist, and that there is no way that I can find
    to clear the list. This is a minor security/privacy issue, as
    generally there should be a way to prevent a dialogue from
    displaying a long list of past-accessed files by clearing a cache
    somewhere or other -- imagine if it was impossible to clear the
    history of a web browser, for example -- this would be considered a
    pretty significant privacy issue. I have tried everything from
    flushing the browser cache to uninstalling and reinstalling the
    browser to uninstalling and reinstalling Adobe Flash to using the
    Flash Settings Manager to clear out the Flash saved sites to
    turning off Vista indexing to clearing out Vista's Recent Items
    list. None of these actions did anything to clear out this list of
    files. I can find no references to these files anywhere when I use
    Vista Search (with unindexed and system files searched as well),
    and I can find no reference to the files anywhere in the registry
    (I checked just in case Flash 10 was storing this index in some
    really bizarre place.) I've linked to a screenshot below of what
    I'm talking about -- most of the files listed below were deleted a
    long, long time ago, and so I have no idea why this dialogue refers
    to them.
    Screenshot
    Is there a simple work-around for this that I'm unaware of?
    Even if there is, there needs to be some more obvious way to clear
    out this list. Where is this information being stored, and what
    criteria does this list use to "put a file on the list"?

    Thanks for putting me on the right scent. That's what I'd
    originally thought, too -- it's just that the file-> open dialog
    was giving an entirely different list of files with other
    applications, so I assumed that it must be Flash that was the
    culprit. Turns out the reason it was different with Flickr was
    because it was restricting the file results via a long string of
    video and picture filetypes that are compatible with the Flickr
    service.
    It turns out the information I'm looking for is buried deep
    within the registry. The only way to clear out this list of files
    is to delete the following key (or specific subkeys):
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidl MRU
    Seems more than a little stupid to store such information in
    the registry if security is your concern. Vista beguiles me
    sometimes.

  • I receive many e-mails with zipped files.  In the past few weeks I can no longer open them as I used to.  I get a window welcoming me to the Application Loader.  ( What is an Application Loader?)  It says I need my iTunes Connect login, but when I try my

    I receive many e-mails with zipped files.  I can no longer open or unzip my files. A window welcoming me to Application Loader drops down.  It prompts for an iTunes Connect login, but will no accept my iTunes login. I have no way to open or unzip my files. Help!!!!

    Application Loader, unless there's another one I'm not familiar with, is part of the iOS SDK. That have usurped the .zip, or you may have removed that application but your Mac is still holding onto the mapping of Zip files to that application. Select a .zip file in Finder, Get Info, and go to the Open with section. Select Archive Utility and click Change All. That should fix the problem.
    Regards.

  • A serious issue with excel file read in ODI

    hi gurus,
    Issue with excel file read is that we can read only one file by setting the path from ODBC Data Source Administrator-->System DNS -->Select Work book
    what i want to read the dynamic path(Every time I cant go back and set the Work book to select the excel file..
    So i came up with a solution to write a Vbscript that convert the excel to csv my problem got solved for dynamic paths the script is as follow:
    Set objArgs = WScript.Arguments
    For I = 0 to objArgs.Count - 1
    FullName = objArgs(I)
    FileName = Left(objArgs(I), InstrRev(objArgs(I), ".") )
    Set objExcel = CreateObject("Excel.application")
    set objExcelBook = objExcel.Workbooks.Open(FullName)
    objExcel.application.visible=false
    objExcel.application.displayalerts=false
    objExcelBook.SaveAs FileName & "csv",23
    objExcel.Application.Quit
    objExcel.Quit
    Set objExcel = Nothing
    set objExcelBook = Nothing
    Next
    Now this script convert the xls file to csv with comma seprated values
    e.g in excel sheet if data is ABC XYZ PQR
    csv will come with ABC,XYZ,PQR
    here the delimiter is , i want the delimiter as pipe | who's ascii code is 124
    but if i change 23 with 124 its not working i getting the error cannot save as...
    can anyone tell me that what should be the correct code for pipe
    so that the output is ABC|XYZ|PQR
    AS WE CAN USE THE SCRIPTS IN TOOLS
    Edited by: 789141 on Sep 14, 2010 11:33 PM

    I dont have the answer for your question but i have different approach in handling multiple Excel File.
    Step 1. Copy a sample source Excel File and Call it Final.xls .
    Step 2. Map this Final.xls to DSN and in Topology call this Final.xls
    Step 3. Do the Reversing and Map and test the Interface . Once its done.
    Step 4. Create a Package and using a http://odiexperts.com/?p=1426 get the list of all the Excel File
    Step 5 . Using this http://odiexperts.com/?p=273 create a Loop to Read the Excel File name
    Step 6 . Copy using OdiFileCopy to Final.xls and run your interface .
    Step 7. Increment the Loop and copy your next File for Final and run the interface
    Step 8 . Finally you will be able to read all the Excel File .
    Step 9 . Delete the source file [ Optional ]
    Hope this helps.

  • Using latest version of fireFox to access Think Central, pages will not load and they say that this is a security issue with FireFox?

    Teachers in our district are supposed to use www.thinkcentral.com with FireFox.
    Some have no problem accessing the lesson plans.
    Most when they login click on a lesson plan and an icon shows up that says loading but never does.
    If you reboot the computer and login you can open a page once but not a second time and no other lessons will open.
    Think Central support says this is a security issue with Firefox.
    I have updated FireFox, all the Adobe, Reader, Flash, Air and Shockwave. As well as Java.
    I have allowed the pop ups to the think Central web site.
    Any help would be appreciated

    Are there any notification icons on the left end of the address bar? If so, please click them to see whether they related to security issues (such as blocked content - shield icon: [[How does content that isn't secure affect my safety?]]) or a plugin requiring permission (Lego-like icon).
    Does Think Central have any help pages about this issue? Without an account, it is difficult to explore the issue first-hand.

  • Hi.  I am having issues with copying files to my shared WB 2TB HDD connected to my airport extreme.  Comes up with error 50.  I am using a Macbook Pro to copy from so not sure what I am doing wrong.  Can someone help? thanks Rory

    Hi.  I am having issues with copying files to my shared WB 2TB HDD connected to my airport extreme.  Comes up with error 50.  I am using a Macbook Pro to copy from so not sure what I am doing wrong.  Can someone help? thanks Rory

    These links might provide some information that may be of help.
    http://support.apple.com/kb/TA20831
    https://discussions.apple.com/message/2035035?messageID=2035035
    I've encountered this error myself upon occasion.  If I remember correctly, it was a permissions/ownership issue with the some of the files I was copying.

  • I am having issues with Sidebar files not appearing from within InDesign CS5.5. They show up fine from other Adobe applications. Using OS10.6.8.

    I am having issues with Sidebar files not appearing from within InDesign CS5.5. They show up fine from other Adobe applications. Using OS10.6.8.

    I would first of all trash the preference file for InDesign, make sure the application is closed then find the prefs in
    /Users/USER NAME/Library/Preferences/Adobe InDesign and just throw the entire folder away, it will generate a new one after you launch InDesign again.
    Now launch InDesign and see if the problems are resolved.
    If not I would repair your permissions on your hard drive wih disk utility, and if that fails then di-install InDesign and re-install that single application.
    Let me know if any of these suggestions work for you
    I will be checking my email although you might have to wait for a response as I will be taking a microlight flight over the Victoria Falls tomorrow. Yay can hardly wait.

  • Xml file to mail scenario with zip file as an attachment

    Hi experts,
    I have  a file to mail scenario. File is in xml format.
    At receiver side, first I want to zip this file and send the zip file as an attachment using mail adapter.
    How can i achieve this?
    Regards
    Divia

    Hi Shabarish,
    In the module tab i have specified the below beans
    localejbs/AF_Modules/MessageTransformBean                           contentType
    AF_Modules/PayloadZipBean                                                    zip
    sap.com/com.sap.aii.adapter.mail.app/XIMailAdapterBean           mail
    In the module configuration i mentioned as
    Transform.ContentDescription   file
    Transform.ContentDisposition   attachment:filename="file.xml"
    zip.filenameKey                      contentType
    zip.mode                                zipOne
    Now i am getting the mail with zip file as an attachment.But the name of the attachment i got is MainDocument.zip
    Even the file name inside the zip is MainDocument.xml.
    How can i specify my own file name for both zip file and the file inside the archieve folder.Please help me.
    Regards
    Divia

  • Issue with Sender File FCC

    Hi Experts,
    I have an issue with Sender File FCC Adapter. The file being picked is of type TXT and it is tab seperated. The first line contains the field names and from next line onwards we have values for those fields.
    The field names and field values are tab seperated. Even inserting a single letter in some field value manually disrupts the whole setup & alignment of the TXT file and the Sender File CC is unable to pick up the file from the shared folder. If the first file is errorenous and after that a correct TXT file is posted, it fails to pick up the correct file as it is trying to pick the errorenous file first.
    The Error thrown is :
    "Conversion of file content to XML failed at position 0: java.lang.Exception: ERROR converting document line no. 2 according to structure 'ABCD':java.lang.Exception: ERROR in configuration / structure 'ABCD.': More elements in file csv structure than field names specified!"
    I have two questions:
    1. Is there a way to handle such a scenario? For e.g., the errornous TXT file gets picked but throws error in PI.
    2. Is there an alternative that the sender FCC channel picks up the correct files and filter out the errorneous ones ? ?
    Thanks,
    Arkesh

    Hi Arkesh,
    I think you are passing more number of fields than expected. Please check paramters defined and send the data accordingly.
    In the processing parameters tab of sender file adapter, you have an option called Archive faulty source files, below to that you would have option to enter the " Directory for Archiving files with Errors".
    I hope this helps you....
    Thanks,

  • Issue with attachment file name

    Hi All,
    This is about an issue with attachment file name:
    we have a scenario wherein we have payload with attachments ...(attachments can be any doc ,pdf) , problem is main document is comming with messageid.sap.com and thats normal but attachments are comming with file names for example something.pdf or something.doc or something.txt ...this is failing in adapter as it expects same name as u have in main document...anybody have any idea to get through this issue...
    Regards
    kiran

    we have a scenario wherein we have payload with attachments ...(attachments can be any doc ,pdf) , problem is main document is comming with messageid.sap.com and thats normal but attachments are comming with file names for example something.pdf or something.doc or something.txt ...this is failing in adapter as it expects same name as u have in main document...anybody have any idea to get through this issue...
    - <SAP:Payload xlink:href="cid:payload-4CED452F17C601BDE10080000A492050---sap.com">
      <SAP:Name>1 .Header1.txt</SAP:Name>
    Error we are getting is
    Cannot cast 'Header' to boolean] in class com.sap.aii.mappingtool.flib7.NodeFunctions method createIf[Header, com.sap.aii.mappingtool.tf7.rt.Context---27a73bfa]
    So we have to change the File name Header1.txt to something which we can cast to creatif....(we cannot tell the sendr to change the file name as its is set already)
    Thanks for interste and assisting
    Regards
    Kiran

Maybe you are looking for

  • Values not getting printed in the Output

    Hi all,     Iam facing strange problem. In the debug mode iam seeing the values for all variables ( Variable windows) but after printing no value is getting printed. MAIN window is there but no element is being called from the MAIN window. Can anyone

  • Query on Multiprovider - Data is not displayed correctly

    Hi, I have  two cubes in a multiprovider. 1st has following Characteristics : 1. Service Order 2. Product line code 3. Cost Center 4. Fiscal Period 5. Fiscal Year 6. Actuals  - Key Figure 2nd cube has 1. Product Line code 2. Cost Center 3. Budget typ

  • Problem in Oracle Database Connectivity in JSP

    I am having big problem such as Oracle Database connectivity problem Following code i am used for database connection. but it throw an exception call class not found exception. Pls any one can help me. With a sample code for Oracle Database connectio

  • "Windows Diagnostic detected a S.M.A.R.T fault on disc"

    Hi I re-installed Windows 8.1 on my Lenovo Yoga 2 Pro and since then, every logon I get the error message: Windows detected a hard disk problem when I go to the event viewer I see the error: "Windows Diagnostic detected a S.M.A.R.T fault on disc  SAM

  • How do we create role maintenance

    hi gurus How do we create user role maintenance could any one give me step by step procedure.  It will be helpful for me Thanks in advance