Bugtraq mailing list archives

Re: Multiple vulnerabilites in glFtpD (current versions)

From: pele () ACC UMU SE (Per Lejontand)
Date: Thu, 23 Dec 1999 22:29:57 +0100


at Thu, Dec 23, 1999 at 11:31:53AM +1100 suid wrote:

      3) SITE ZIPCHK command:

              The SITE command ZIPCHK can be used to check the validity of a ZIP file on a server.
              Presumably this is so you can make sure the ZIP file you are about to download is valid
              and free from error. The way this works is thus:

                      glFtpD user does:
                      ftp> quote SITE ZIPCHK XXXXX.ZIP
                      
                      glFtpD then runs a shell script with XXXXX.ZIP as argv[1] or 2.
                      which calls /bin/unzip etc etc.

              If a user is able to create a filename with ";" characters in the name, they can
              execute arbitrary code on the remote server with the privelege level of the server.


Easy fix should be override the command in glftpd.conf (or equivalent) with
something like:

site_cmd ZIPCHK TEXT /ftp-data/misc/disabled

Wich causes a textfile to be displayed rather then a command executed.

--

//Per
.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,
  Per Lejontand, Student of Computer science, Admin @ {acc,ltlab}.umu.se
  Phone: +46-70-2163191
 *** Stay away from hurricanes for a while.

Current thread:

FTPPro insecuities, (continued)
- - - FTPPro insecuities The Wall (Dec 27)
    - serious Lotus Domino HTTP denial of service Alain Thivillon (Dec 21)
    - More details on the WU-FTPD configuration vulnerability. suid (Dec 21)
    - Microsoft Security Bulletin (MS99-058) Aleph One (Dec 21)
    - Microsoft Security Bulletin (MS99-061) Aleph One (Dec 21)
    - More Netscape Passwords Available. Rob Jones (Dec 21)
    - UnixWare i2odialogd remote root exploit Brock Tellier (Dec 21)
    - IE 5.01 vulnerabilities in external.NavigateAndFind() Georgi Guninski (Dec 22)
    - Solaris 2.7 dmispd local/remote problems Brock Tellier (Dec 22)
    - Multiple vulnerabilites in glFtpD (current versions) suid (Dec 22)
    - Re: Multiple vulnerabilites in glFtpD (current versions) Per Lejontand (Dec 23)
    - Re: Multiple vulnerabilites in glFtpD (current versions) The Tree of Life (Dec 23)
    - Re-release of Microsoft Security Bulletin MS99-046 Microsoft Product Security (Dec 23)
    - BUG? Non-root user can configure traffic shaper (2.2.13) (fwd) Yuri Kuzmenko (Dec 24)
    - RealMedia Server 5.0 Crasher (rmscrash.c) bow (Dec 22)
    - Re: procmail / Sendmail - five bugs Casper Dik (Dec 23)
    - Re: SSH-1.2.27 & RSAREF2 exploit Wakko Ellington Warner-Warner III (Dec 15)
    - Recent postings about SCO UnixWare 7 Andrew Malcolm (Dec 15)
    - Re: SSH-1.2.27 & RSAREF2 exploit Iván Arce (Dec 15)
    - Oops, my apologies. Wakko Ellington Warner-Warner III (Dec 15)
    - IRCnet IRCD 2.0x Reboot Bug A Bloke (Dec 15)

(Thread continues...)