Bugtraq mailing list archives

Re: ftp conversions exploit

From: lundberg () WU-FTPD ORG (Gregory A Lundberg)
Date: Fri, 24 Dec 1999 22:01:31 -0500


On Fri, Dec 24, 1999 at 08:51:21AM +0200, Alexey Chetroi wrote:

On Wed, 22 Dec 1999, David Malone wrote:

On Wed, Dec 22, 1999 at 04:47:25AM +0000, Desi Hacker wrote:

The ftpaccess man page contains the following example line:

    path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^\. ^-

which disallows filenames starting with . or - to anonymous users.
Maybe your ftpaccess line contains this?


it doesn't disallow filenames starting with . or -, it disallows
filenames with spaces


Lo, he readeth from the manpage ...

       path-filter <typelist> <mesg> <allowed_charset>
            {<disallowed reg-exp> ...}

            For users in <typelist>, path-filter defines  regular
            expressions  that  control what a filename can or can
            not be.  There may be  multiple  disallowed  regexps.
            If  a filename is invalid due to failure to match the
            regexp criteria, <mesg>  will  be  displayed  to  the
            user.  For example:

                path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^\. ^-

            specifies  that  all  upload  filenames for anonymous
            users must be made of only the characters  A-Z,  a-z,
            0-9,  and  "._-"  and  may not begin with a "."  or a
            "-".  If the filename is invalid,  /etc/pathmsg  will
            be displayed to the user.

Taking unto his heart his own advice, he commanded:

$ grep 'path-filter' /etc/ftpaccess
path-filter anonymous,guest /etc/pathmsg ^[-A-Za-z0-9._]*$ ^\. ^-

And, knowing he was a guest unto himself, he bespoke unto the daemon:

$ ftp ftp.vr.net
Connected to www.vr.net.
220 ftp.vr.net FTP server ready.
Name (ftp.vr.net:lundberg):
331 Password required for lundberg.
Password:
230 User lundberg logged in.  Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put da -da
local: da remote: -da
200 PORT command successful.
550 -da: Permission denied on server. (Filename (deny))
ftp> put da .da
local: da remote: .da
200 PORT command successful.
550 .da: Permission denied on server. (Filename (deny))
ftp> ren da .da
350 File exists, ready for destination name
550 .da: Permission denied on server. (Filename (deny))
ftp> ren da -da
350 File exists, ready for destination name
550 -da: Permission denied on server. (Filename (deny))
ftp> quit
You have transferred 0 bytes in 0 files.
221-Total traffic for this session was 723 bytes in 0 transfers.
221-Thank you for using the FTP service on ftp.vr.net.
221 Goodbye.

And, upon seeing the words were good and true, he rested.

--

Gregory A Lundberg              WU-FTPD Development Group
1441 Elmdale Drive              lundberg () wu-ftpd org
Kettering, OH 45409-1615 USA    1-800-809-2195

Current thread:

Re: ftp conversions exploit Desi Hacker (Dec 21)
- Re: ftp conversions exploit David Malone (Dec 22)
  - Re: ftp conversions exploit Alexey Chetroi (Dec 23)
    - Re: ftp conversions exploit Gregory A Lundberg (Dec 24)
    - WebWho+ ADVISORY Cody T. - hhp (Dec 26)
- Re: ftp conversions exploit Lamont Granquist (Dec 27)