[11564] in bugtraq
Re: ... / wu-ftpd <=2.5 / ...
daemon@ATHENA.MIT.EDU (Volker Borchert)
Sat Aug 28 19:16:37 1999
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=ISO-8859-1
Message-Id: <199908250948.LAA16517@Uranos.teknon.de>
Date: Wed, 25 Aug 1999 11:48:18 +0200
Reply-To: Volker Borchert <bt@TEKNON.DE>
From: Volker Borchert <bt@TEKNON.DE>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of Sun, 04 Jul 1999 13:38:48 +0200
|> ----------------------------
|> wu-ftpd 2.5, VR and BeroFTPD
|> ----------------------------
*** ftpd.c Sun Jun 6 15:20:21 1999
--- ftpd_patched.c Sun Jun 6 15:15:03 1999
***************
*** 1245,1251 ****
/* append the dir part with a leading / unless at root */
if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
strcat( mapped_path, "/" );
! strcat( mapped_path, dir );
}
int
--- 1245,1254 ----
/* append the dir part with a leading / unless at root */
if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
strcat( mapped_path, "/" );
! if ( strlen(mapped_path) + strlen (dir) < 4095 )
! strcat( mapped_path, dir );
! else
! syslog(LOG_ERR, "FTP mapped_path attack ");
}
int
This patch has a serious flaw - like making the wolf your shepherd:
the hard coded "4095" buffer size. See line 1200:
char mapped_path[ MAXPATHLEN ] = "/";
For example, on this here machine running SunOS 5.6, MAXPATHLEN is
1024. Use "sizeof(mapped_path)" instead.
(BTW, your diff contains DOS style "cr/lf" sequences, so anyone
willing to apply it should pipe it into "patch" via "dos2unix".)
vb
