also sprach Noah Meyerhans <[EMAIL PROTECTED]> [2002.03.29.2149 +0100]: > No, it is in fact not fixed. We are still vulnerable. I have confirmed > this myself with the proftpd packages from security.debian.org. > > If you don't believe me, try it...
i did. and it wasn't vulnerable. i will try again right now... lapse:/tmp# ls /etc/proftpd.conf ls: /etc/proftpd.conf: No such file or directory lapse:/tmp# dpkg -i proftpd_1.2.0pre10-2.0potato1_i386.deb [...] lapse:/tmp# dpkg -l proftpd | grep ^ii ii proftpd 1.2.0pre10-2.0 Versatile, virtual-hosting FTP lapse:/tmp# grep -i Filter /etc/proftpd.conf lapse:/tmp# ncftp localhost [... snip ...] okay, i'll spare you the details, here's the results i've come up with: my ftproot, which i originally tested against, was way too small. i've now created an ftproot with 20Gb of data and a very complex directory hierarchy, and in fact, proftpd will go to consume a lot of resources. however, this is far from a DoS, i think. the parent instance of proftpd very happily handles new logins speedily, and contrary to my expectations, the spawned proftpd, handling the cracker connection is not even accessing the disk. it just hangs there and consumes resources. i will let this thing run for some time and see if it ever finishes. nevertheless, the proftpd deb found at http://security.debian.org/debian-security/dists/potato/updates/main/binary-i386/proftpd_1.2.0pre10-2.0potato1_i386.deb *does not* contain a DenyFilter as you suggested. so in fact, this is not really patched if you can consider it a security hole. but even if not, it's annoying and *should* be banned. i'll post a followup to bugtraq... -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] prepBut nI vrbLike adjHungarian! qWhat's artThe adjBig nProblem? -- alec flett @netscape
pgpZS3XavPy7q.pgp
Description: PGP signature
