Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS

From: jgaa () JGAA COM (Jarle Aase)
Date: Sat, 8 Jan 2000 14:46:37 +0100

January 5th 2000, a serious security problem with War FTP Daemon 
1.70 was reported by email. Two hours after I read the mail, 
a security alert was sent to the war-ftpd mailing list, 
the alt.comp.jgaa newsgroup and the bugtraq mailing list. 
The alert advised all server operators to take the server 
off-line until further notice.

Brief overview:
  *War FTP Daemon 1.70: The bug allows unrestricted access 
         to any file on the local machine also for users 
         that have not logged on. If an older ODBC driver 
         is installed, the bug also gives users unlimited 
         access to all system commands, with administrator 
         privileges (this is a bug in ODBC that has been 
         fixed in recent versions). The advice is to take 
         all version 1.70 servers off-line until the server 
         is upgraded! A bugfix (War FTP Daemon 1.71) was 
         released january 8th 2000 14:40 CET. 
         
  *War FTP Daemon 1.67b2 and previous versions: The bug may 
         give privileged uses unrestricted access to some 
         files. Users must be logged in, and have at least 
         write or create permissions. Users can not 
         execute commands. A bugfix was released less than 
         24 hours from I read the mail that reported the problem.
 
Bugfixes are released at:

   ftp://ftp.no.jgaa.com\

The latest information about this problem can be found at:

   http://war.jgaa.com/alert/

Jarle Aase
Previous By Date Next
Previous By Thread Next

Current thread: