[12758] in bugtraq
wu-ftpd bug
daemon@ATHENA.MIT.EDU (m4rcyS)
Mon Nov 29 14:52:31 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9911291642130.1580-100000@pentium.localdomain>
Date: Mon, 29 Nov 1999 17:43:16 +0100
Reply-To: m4rcyS <marcys@FREE.COM.PL>
From: m4rcyS <marcys@FREE.COM.PL>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
I guess some people hope to find here remote shell xploit, huehue.
Calm down, not this time ;) OK, let's go. Everything happens on
vanilla RH 6.1 box.
$ man ftpaccess
guestserver [<hostname>]
Controls which hosts may be used for anonymous or
guest access. If used without <hostname>, denies all
guest or anonymous access to this site. More than
one <hostname> may be specified. Guest and anonymous
access will only be allowed on the named machines.
If access is denied, the user will be ased to use the
first <hostname> listed.
This one looks especially interesting: "If used without <hostname>, denies
all guest or anonymous access to this site."
Hmm, let's try:
# echo guestserver >>/etc/ftpaccess
$ ftp 0
Connected to 0.
220 FTP server ready.
Name (0:marcys): ftp
331 Guest login ok, send your complete e-mail address as password.
Huh ? Pretty funny :) Now there're 3 possibilities:
1. ftpd bug
2. man page bug
3. I'm misunderstanding all this stuff
Which one's correct ?
PS.: One thing I'm sure. There is a bug in manpage. Patch? It's
straightforward - just do:
sed -e 's/ased/asked/g' /usr/man/man5/ftpaccess.5 >~/abc ;
mv -f ~/abc /usr/man/man5/ftpaccess.5
;))
greetz,
____________________________________________________________
m4rcyS
email: marcel@linux.com.pl, m@sh.pl
"I think there is a world market for maybe five computers."
- Thomas Watson, chairman of IBM, 1943
------------------------------------------------------------
