OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: Multiple vulnerabilites in glFtpD (curren

Re: Multiple vulnerabilites in glFtpD (current versions)

Subject: Re: Multiple vulnerabilites in glFtpD (current versions)
From: Per Lejontand (peleACC.UMU.SE)
Date: Thu Dec 23 1999 - 15:29:57 CST

at Thu, Dec 23, 1999 at 11:31:53AM +1100 suid wrote:

> 3) SITE ZIPCHK command:
>
> The SITE command ZIPCHK can be used to check the validity of a ZIP file on a server.
> Presumably this is so you can make sure the ZIP file you are about to download is valid
> and free from error. The way this works is thus:
>
> glFtpD user does:
> ftp> quote SITE ZIPCHK XXXXX.ZIP
>
> glFtpD then runs a shell script with XXXXX.ZIP as argv[1] or 2.
> which calls /bin/unzip etc etc.
>
> If a user is able to create a filename with ";" characters in the name, they can
> execute arbitrary code on the remote server with the privelege level of the server.

Easy fix should be override the command in glftpd.conf (or equivalent) with
something like:

site_cmd ZIPCHK TEXT /ftp-data/misc/disabled

Wich causes a textfile to be displayed rather then a command executed. 

--

//Per
.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,
  Per Lejontand, Student of Computer science, Admin  {acc,ltlab}.umu.se
  Phone: +46-70-2163191
 *** Stay away from hurricanes for a while.

This archive was generated by hypermail 2b27 : Fri Dec 24 1999 - 11:56:42 CST