Bugtraq mailing list archives
Re: wu-ftpd info.
From: paul () vix com (Paul A Vixie)
Date: Wed, 13 Apr 1994 08:03:08 -0700
To fix the security hole in previous version 2.3: 1. remove "site exec" from commands.
that would help but isn't enough by itself
2. stop anonymous uploading via adding "chmod no anonymous" and "umask no anonymous" to ftpaccess file.
that would help but isn't enough by itself
3. remove ftp-exec subdirectory in ~ftp/bin
that would help but isn't enough by itself
4. Obtain and install wu-ftpd 2.3
that would really fix it. the latest "wrl" ftpd also has a fix for this. since the security bug was in code that i added to "wrl"'s ftpd and the "wu" people got the code (and the bug) from "wrl", it's significant that both versions are fixed. i actually like the fix i put into "wrl"'s better than the one the "wu" people put into theirs, since i took the oppty to clean up some other problems. the reason CERT hasn't announced this yet is that they are still coordinating with vendors and the larger ftp sites to get the bug fixed before they publicize it. so please keep this information to yourselves.
Current thread:
- wu-ftpd info. Christopher Klaus (Apr 12)
- Re: wu-ftpd info. Paul A Vixie (Apr 13)
- Re: wu-ftpd info. Paul Walmsley (Apr 13)
- <Possible follow-ups>
- Re: wu-ftpd info. Ken Hardy (Apr 13)
- Re: wu-ftpd info. jdd () cdf toronto edu (Apr 13)
- Re: wu-ftpd info. Paul A Vixie (Apr 13)
- Re: wu-ftpd info. Rob Quinn (Apr 13)
- Re: wu-ftpd info. Gene Spafford (Apr 13)
- Re: wu-ftpd info. Marc W. Mengel (Apr 13)
- Re: wu-ftpd info. Christopher Klaus (Apr 13)
- Re: wu-ftpd info. smb () research att com (Apr 13)
- Re: wu-ftpd info. William McVey (Apr 13)
(Thread continues...)
- Re: wu-ftpd info. Paul A Vixie (Apr 13)