proftpd affected by recent security hole (2004/05/12) ?
On proftpd.org front page, I read proftpd has a bug relating to ASCII translation [1]. Previous one [2] was critical (remote root shell) but affected only proftpd 1.2.7rc1 and up. Woody/stable has 1.2.4+1.2.5rc1, which is clearly not affected by the previous one. But is it affected by the new proftpd bug ? I guess not, but would like to be certain it's safe. [next question perhaps too much OT] By the way, proftpd 1.2.2rc1 fixed a previous hole relating to globs (something like 'ls */../*/../*/../'). Solution was to add a DenyFilter (\*.*/). I heard about another vuln (format string?) solved by DenyFilter too (%). So I used DenyFilter (\*.*/|%) in proftpd.conf. Is it safe not to use it with woody's proftpd ? Christophe [1] http://proftpd.org/ Quote: "[12/May/2004] There are two issues which have come to our attention, there is an additional flaw related to the ASCII translation bug discovered by X-Force, this affects all versions up to and including 1.2.9rc3. Versions from 1.2.9 are not vulnerable. Additionally a flaw in the CIDRACL code has been discovered which can lead to an escalation in access rights within the ftp site. This flaw affects all versions up to and including 1.2.9, it has been fixed in cvs and 1.2.10rc1. To avoid the flaw do not use CIDR based ACLs on vulnerable versions or use mod_wrap and /etc/hosts.allow|deny. " [2] http://proftpd.org/critbugs.html Quote: "Bug: Remote Exploit in ASCII translation (...) Version: 1.2.7rc1 and later (...) Severity/Effect: Critical Date: September 23, 2003 (...) http://xforce.iss.net/xforce/alerts/id/154 (...) CANN-2003-0831" [3] http://bugs.proftpd.org/show_bug.cgi?id=1066 proftpd DoS (Resolved in 1.2.2rc1) like 'ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*'
proftpd affected by recent security hole (2004/05/12) ?
On proftpd.org front page, I read proftpd has a bug relating to ASCII translation [1]. Previous one [2] was critical (remote root shell) but affected only proftpd 1.2.7rc1 and up. Woody/stable has 1.2.4+1.2.5rc1, which is clearly not affected by the previous one. But is it affected by the new proftpd bug ? I guess not, but would like to be certain it's safe. [next question perhaps too much OT] By the way, proftpd 1.2.2rc1 fixed a previous hole relating to globs (something like 'ls */../*/../*/../'). Solution was to add a DenyFilter (\*.*/). I heard about another vuln (format string?) solved by DenyFilter too (%). So I used DenyFilter (\*.*/|%) in proftpd.conf. Is it safe not to use it with woody's proftpd ? Christophe [1] http://proftpd.org/ Quote: "[12/May/2004] There are two issues which have come to our attention, there is an additional flaw related to the ASCII translation bug discovered by X-Force, this affects all versions up to and including 1.2.9rc3. Versions from 1.2.9 are not vulnerable. Additionally a flaw in the CIDRACL code has been discovered which can lead to an escalation in access rights within the ftp site. This flaw affects all versions up to and including 1.2.9, it has been fixed in cvs and 1.2.10rc1. To avoid the flaw do not use CIDR based ACLs on vulnerable versions or use mod_wrap and /etc/hosts.allow|deny. " [2] http://proftpd.org/critbugs.html Quote: "Bug: Remote Exploit in ASCII translation (...) Version: 1.2.7rc1 and later (...) Severity/Effect: Critical Date: September 23, 2003 (...) http://xforce.iss.net/xforce/alerts/id/154 (...) CANN-2003-0831" [3] http://bugs.proftpd.org/show_bug.cgi?id=1066 proftpd DoS (Resolved in 1.2.2rc1) like 'ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]