Re: wu-ftp vulnerability
At 09:36 PM 11/28/01 -0800, greg@orthogony.com wrote:
>> Thu, Nov 29, 2001 at 12:35:13PM +1100, John Griffiths wrote:
>> At 05:22 PM 11/28/01 -0800, Greg Wiley wrote:
>
>> >http://www.securityfocus.com/archive/1/242750
>> >Debian 2.2 is on the list.
>>
>> Does this effect wu-ftpd's that don't allow anonymous access?
>>
>> i.e. if only user's can log on, and I trust my users, can
>> I stop stressing about it until the fixed version is available?
>
>The way I understand it is that it has to do with
>file globbing so in order to exploit, an attacker
>would have to log in. So if anon is off and none
>of your users are baddies, maybe you're ok (al-
>though an unauthorized person might somehow know
>a legitimate authpair).
>
Thats a load off my mind,
I'll be updating as soon as it's available and I'm willing to work with
that risk level for a day or so.
Thank you very much.
Reply to: