proftpd affected by recent security hole (2004/05/12) ?
On proftpd.org front page, I read proftpd has a bug relating
to ASCII translation [1]. Previous one [2] was critical
(remote root shell) but affected only proftpd 1.2.7rc1 and up.
Woody/stable has 1.2.4+1.2.5rc1, which is clearly not affected
by the previous one.
But is it affected by the new proftpd bug ?
I guess not, but would like to be certain it's safe.
[next question perhaps too much OT]
By the way, proftpd 1.2.2rc1 fixed a previous hole relating
to globs (something like 'ls */../*/../*/../'). Solution
was to add a DenyFilter (\*.*/). I heard about another vuln
(format string?) solved by DenyFilter too (%). So I used
DenyFilter (\*.*/|%)
in proftpd.conf. Is it safe not to use it with woody's proftpd ?
Christophe
[1] http://proftpd.org/
Quote:
"[12/May/2004]
There are two issues which have come to our attention,
there is an additional flaw related to the ASCII translation bug
discovered by X-Force, this affects all versions up to and
including 1.2.9rc3. Versions from 1.2.9 are not vulnerable.
Additionally a flaw in the CIDRACL code has been discovered
which can lead to an escalation in access rights within the ftp site.
This flaw affects all versions up to and including 1.2.9,
it has been fixed in cvs and 1.2.10rc1.
To avoid the flaw do not use CIDR based ACLs on vulnerable versions
or use mod_wrap and /etc/hosts.allow|deny. "
[2] http://proftpd.org/critbugs.html
Quote:
"Bug: Remote Exploit in ASCII translation (...)
Version: 1.2.7rc1 and later (...)
Severity/Effect: Critical
Date: September 23, 2003 (...)
http://xforce.iss.net/xforce/alerts/id/154 (...)
CANN-2003-0831"
[3] http://bugs.proftpd.org/show_bug.cgi?id=1066
proftpd DoS (Resolved in 1.2.2rc1) like
'ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*'
Reply to: