Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The old "." problem

From: sfaust () ISI-MTL COM (S.Faust)
Date: Sat, 16 Oct 1999 20:02:27 -0400

What version of Serv-U did you test?
On my side with the latest version ( as of 16/10/99 )
it did'nt work.

Log:

C:\TEMP\test>ftp slaughter
Connected to slaughter.
220 Serv-U FTP-Server v2.5a for WinSock ready...
User (slaughter:(none)): test
331 User name okay, need password.
Password:
230 User logged in, proceed.
ftp> cd test
250 Directory changed to /c:/ftp/test
ftp> ls -l
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
-rwx------   1 user     group           0 Oct 16 19:50
servu-ftpd-dot-test.txt
226 Transfer complete.
80 bytes received in 0.00 seconds (80000.00 Kbytes/sec)
ftp> get servu-ftpd-dot-test.txt
200 PORT Command successful.
550 Permission denied.
ftp> get servu-ftpd-dot-test.txt.
200 PORT Command successful.
550 Permission denied.
ftp> get servu-ftpd-dot-test.txt..
200 PORT Command successful.
550 Permission denied.
ftp> get servu-ftpd-dot-test.txt.......................................
200 PORT Command successful.
550 Permission denied.
ftp>

----- Original Message -----
From: <nblasgen () NICK REFRACT COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Wednesday, October 13, 1999 6:31 PM
Subject: The old "." problem


A while back there was the problem of Windows HTTP servers with CGI and
other sever parsed pages (ASF, SMX, etc) if you added a "." to the end it
would give you the raw code in TEXT format.  I understand how that was a
security problem.

Just noticed that the same problem is true for at least one Windows FTP
server, Serv-U.  I can't find a problem with being able to request files
with a extra "." at the end.  I was unable to test the idea of downloading
files that I had no permissions too.

Nicholas Blasgen
Refract, LLC
Previous By Date Next
Previous By Thread Next

Current thread: