[10487] in bugtraq
Debian, Re: wuftp2.4.2academ beta 12-18 exploit
daemon@ATHENA.MIT.EDU (A Mennucc1)
Fri May 7 13:47:13 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990507132510.A7806@Tonelli.sns.it>
Date: Fri, 7 May 1999 13:25:11 +0200
Reply-To: A Mennucc1 <msm@TONELLI.SNS.IT>
From: A Mennucc1 <msm@TONELLI.SNS.IT>
X-To: Gregory Newby <gbnewby@ILS.UNC.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.GSO.4.10.9905032005460.2394-100000@ruby.ils.unc.edu>; from
Gregory Newby on Mon, May 03, 1999 at 08:11:00PM -0400
On Mon, May 03, 1999 at 08:11:00PM -0400, Gregory Newby wrote:
> Workaround:
>
> wu-ftpd and variants that use files /etc/ftp* for configuration
> can easily help protect you against the many recent variants that
> exploit buffer overflows with MKDIR. All the varieties I've
> seen require creating a directory or file - that's where the
> overflow happens.
>
> In /etc/ftpaccess, you have the option to specify SNIP
> mkdir no anonymous
> upload no anonymous
beware for Debian GnuLinux
(my version is wu-2.4.2-academ[BETA-16]):
the line mkdir... is silently ignored and has no effect
and the line upload... has a completely different syntax:
``` upload <root-dir> <dirglob> <yes|no> <owner> <group>
<mode> ["dirs"|"nodirs"]
Define a directory with <dirglob> that permits or
denies uploads.
'''
a.m.
--
Legal Warning: Anyone sending me unsolicited/commercial email WILL be charged
a $100 proof-reading fee. Do NOT send junk email to me - consider this an
official notice:
"By US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the
definition of a telephone fax machine. By Sec.227(b)(1)(C), it is unlawful
to send any unsolicited advertisement to such equipment. By Sec.227(b)(3)(C),
a violation of the aforementioned Section is punishable by action to recover
actual monetary loss, or $500, whichever is greater, for each violation."
