Re: Multiple-Vendor-FTP-Vuln. (old?)

[Roman Drahtmueller <draht () suse de>]

> i tested an old proftpd bug (ls /../*/../*/../*/../*/../*/../*/../*) on =
> many new Linux-Dist.. When a user logged in in ftp and type
> the ls command the in.ftpd takes over 90 percent cpu-usage and execute =
> the command 2 or 3x than the full system hang up. it also works in =
> console. I wonder that is not fixed. THIS BUG IS OLD. POSTED ON BUGTRAQ  =
> in march 01, but
> it still works so i post it again.
>
> affected:
>
> RedHat Linux 7.x
> Linux Mandrake 8.0
> SuSE Linux 7.2

I wonder when or where you tested this. The proftpd package that can be
found in the /pub/suse/<arch>/update/*/n1/ directories on ftp.suse.com
(age: May 9th) do not show this behaviour and appears to be sane.

[...]

> Fix:
>
> set cpu-limit for your anonymous user.

I doubt that this solution is very efficient if you provide automatic
gzip (and maybe tar) service so that your users can get a directory
recursively in form of a tarfile by using the command

 get directory_name.tar.gz

You'd have to choose...

Also recommended:

DenyFilter  "%"

if there are more format string errors in the code, this might be an easy
workaround until the code is fixed in the right place.

Roman.
-- 
 -                                                                      -
| Roman Drahtmüller      <draht () suse de> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -