Bugtraq mailing list archives

RE: Wftpd stat Command Remote Vulnerability Exploit

From: "Alun Jones" <alun () texis com>
Date: Thu, 4 Mar 2004 01:10:29 -0600

-----Original Message-----
From: security team 0seen [mailto:o5een () hotmail com] 
Sent: Wednesday, March 03, 2004 2:37 AM

#!/usr/bin/python

#wftpd exploit, code by OYXin

#POC and lame python exploit, only test on WFTD pro 3.21.1.1 
with win2000 cn sp4


Please test this against 3.21.2.1, released 2/29/2003, updated 3/3/2004.

What does your code have to offer over the code already irresponsibly
released by the previous poster?  Does it offer any more information, or is
it simply 
"a c001er crack"?  Please don't waste my time offering ever cooler cracks
for the same flaw, especially once the flaw has been patched.  Did you
bother to check and see if it was patched?  Apparently not.  Did you bother
to contact the vendor (me) first?  Definitely not.  In fact, you didn't even
try to contact me _at_all_.  Even the original poster did me that small
favour.

I'm busy trying to keep my users secure.  Either help me in that task, or
don't.  If you help me protect my users, I'll thank you.  If all you're
interested in doing is claiming bragging rights while simultaneously putting
my users at risk, I don't appreciate it in the slightest.

And, not to get on my high horse again, but really, Bugtraq moderators, do
you feel comfortable that you are not contributing to the protection of
users, but are actively involved in removing that protection?

My record speaks for itself, I do not need, and have never needed, the
"persuasion" of having vulnerabilities publicised, with full exploit code.
Vulnerabilities should always be revealed first to the vendor, and some time
given to allow for a reasoned response, rather than publishing the
vulnerabilities and forcing the vendor into a mad scramble to get any patch
out the door quickly.  [Quite frankly, even if my past behaviour _had_ been
shockingly poor, simple courtesy to my users suggests that you at least
_try_ to get my attention to the matter.]

Alun.
~~~~
-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun () texis com.
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

Current thread:

Wftpd stat Command Remote Vulnerability Exploit security team 0seen (Mar 03)
- RE: Wftpd stat Command Remote Vulnerability Exploit Alun Jones (Mar 04)