Re: DoS in debian (potato) proftpd
On Wed, Mar 27, 2002 at 12:37:59AM +0100, martin f krafft wrote:
> also sprach Joe Dollard <joed@devel.livenote.com> [2002.03.25.2114 +0100]:
Hi,
> > The version of proftp that is in debian potato (1.2.0pre10 as
> > reported by running 'proftpd -v ') is vulnerable to a glob DoS
> > attack, as discovered on the 15th March 2001. You can verify this
> > bug by logging in to a server running debian stable's proftpd and
> > type "ls
> > */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*".
> > This results with 100% of the CPU and memory resources being
> > consumed (more info at http://proftpd.linux.co.uk/critbugs.html),
>
> (please fix your line wraps!)
>
> security.debian.org has proftpd_1.2.0pre10-2.0potato1 which does not
> contain this bug, at least not on i386 systems:
>
> fishbowl:~> ncftp lapse.home.madduck.net
> NcFTP 3.1.2 (Jan 28, 2002) by Mike Gleason (ncftp@ncftp.com).
> Connecting to 192.168.14.3
> ProFTPD 1.2.0pre10 Server (Debian) [lapse.home.madduck.net]
> Logging in...
>
> Anonymous access granted, restrictions apply.
> Logged in to localhost.
> ncftp / > ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
> <and on for another screen full>
>
> fishbowl:~> ssh lapse 'cat /etc/debian_version; uname -a'
> 2.2r5
> Linux lapse 2.2.20 #1 Tue Feb 12 14:22:30 CET 2002 i486
If my understanding of this bug is right the new bug with the old problem
is in mod_sql. So if you don't use it you should not be vulnerable cause no
input data is passed through it.
Another thing, the vulnerable mod_sql release was not shipped with the proftpd
stable release.
Sven
--
Lamer! :)\nLokaler Admin mit enormen Rechten[tm]
[Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf]
http://www.linux-secure.de http://www.linuxboard.de
http://www.bluephod.net http://www.disconow.de
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: