Bugtraq mailing list archives
Re: ftp conversions exploit
From: lamont () ICOPYRIGHT COM (Lamont Granquist)
Date: Mon, 27 Dec 1999 11:53:04 -0800
On Wed, 22 Dec 1999, Desi Hacker wrote:
during the exploiting process.. the final step as instructed by the auther doesn't work ftp> get "--use-compress-program=sh blah".tar or ftp> get "--use-compress-program=sh blah".tar instead is gives a warning of permission denied! in case of anon ftp logging
The author made it fairly clear that this exploit applied to non-anonymous accounts, which are more trusted by default than the anonymous FTP account. The exploit should also fail for anonymous users in the next step which requires rights to do a SITE CHMOD. The moral of the exploit seems to be that you shouldn't trust people with non-anon FTP access who you wouldn't trust with shell accounts.
Current thread:
- Re: ftp conversions exploit Desi Hacker (Dec 21)
- Re: ftp conversions exploit David Malone (Dec 22)
- Re: ftp conversions exploit Alexey Chetroi (Dec 23)
- Re: ftp conversions exploit Gregory A Lundberg (Dec 24)
- WebWho+ ADVISORY Cody T. - hhp (Dec 26)
- Re: ftp conversions exploit Alexey Chetroi (Dec 23)
- Re: ftp conversions exploit Lamont Granquist (Dec 27)
- Re: ftp conversions exploit David Malone (Dec 22)