Bugtraq mailing list archives
Re: Multiple vendors FTP denial of service
From: Nate Eldredge <neldredge () HMC EDU>
Date: Wed, 21 Mar 2001 12:56:56 -0800
Stefan Laudat writes:
Hi Aleph, Please add this to the 'quick fix collection'. Thanks.ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*disable globbing symbols with: DenyFilter "[\*\?]" ?... and as a quick fix for nasty shell users having bash prompts on your machine, just enter 'set -f' in the /etc/profile. Of course, until we will get a fixed bash or a fixed libc(?).
This would be an enormous pain for your users, and furthermore won't help. If they have a shell, they can simply do `set +f', or run a different shell without such restrictions, or they can even run any other program to suck up tons of memory (`for(;;) malloc(1024);'). To prevent every possible case of this, and have some actual (rather than illusory) security, man ulimit. There is no bug in bash or in libc; it's a feature. I wouldn't want a system that put arbitrary limits on globbing. -- Nate Eldredge neldredge () hmc edu
Current thread:
- Bash memory exhaustion (was Re: Multiple vendors FTP denial of service), (continued)
- Bash memory exhaustion (was Re: Multiple vendors FTP denial of service) Nick Lamb (Mar 20)
- Re: Multiple vendors FTP denial of service The Flying Hamster (Mar 21)
- Re: Multiple vendors FTP denial of service Mike Gleason (Mar 16)
- Re: Multiple vendors FTP denial of service Crist Clark (Mar 19)
- Re: Multiple vendors FTP denial of service JT (Mar 19)
- Re: Multiple vendors FTP denial of service D. J. Bernstein (Mar 19)
- Re: Multiple vendors FTP denial of service jedi (Mar 20)
- Re: Multiple vendors FTP denial of service Pawel Wilk (Mar 20)
- Re: Multiple vendors FTP denial of service Interstellar Overdrive (Mar 23)
- Re: Multiple vendors FTP denial of service Stefan Laudat (Mar 21)
- Re: Multiple vendors FTP denial of service Nate Eldredge (Mar 22)
- Re: Multiple vendors FTP denial of service peterw (Mar 22)
- Re: Multiple vendors FTP denial of service Markku Savela (Mar 22)
- Multiple vendors FTP denial of service Peter Timothey Hessler (Mar 21)