also sprach Noah Meyerhans <noahm@debian.org> [2002.03.29.2149 +0100]:
> No, it is in fact not fixed. We are still vulnerable. I have confirmed
> this myself with the proftpd packages from security.debian.org.
>
> If you don't believe me, try it...
i did. and it wasn't vulnerable. i will try again right now...
lapse:/tmp# ls /etc/proftpd.conf
ls: /etc/proftpd.conf: No such file or directory
lapse:/tmp# dpkg -i proftpd_1.2.0pre10-2.0potato1_i386.deb
[...]
lapse:/tmp# dpkg -l proftpd | grep ^ii
ii proftpd 1.2.0pre10-2.0 Versatile, virtual-hosting FTP
lapse:/tmp# grep -i Filter /etc/proftpd.conf
lapse:/tmp# ncftp localhost
[... snip ...]
okay, i'll spare you the details, here's the results i've come up
with:
my ftproot, which i originally tested against, was way too small. i've
now created an ftproot with 20Gb of data and a very complex directory
hierarchy, and in fact, proftpd will go to consume a lot of resources.
however, this is far from a DoS, i think. the parent instance of
proftpd very happily handles new logins speedily, and contrary to my
expectations, the spawned proftpd, handling the cracker connection is
not even accessing the disk. it just hangs there and consumes
resources.
i will let this thing run for some time and see if it ever finishes.
nevertheless, the proftpd deb found at
http://security.debian.org/debian-security/dists/potato/updates/main/binary-i386/proftpd_1.2.0pre10-2.0potato1_i386.deb
*does not* contain a DenyFilter as you suggested. so in fact, this is
not really patched if you can consider it a security hole.
but even if not, it's annoying and *should* be banned. i'll post
a followup to bugtraq...
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
prepBut nI vrbLike adjHungarian! qWhat's artThe adjBig nProblem?
-- alec flett @netscape
Attachment:
pgpEdch_HD2kD.pgp
Description: PGP signature