[13094] in bugtraq
Re: ftp conversions exploit
daemon@ATHENA.MIT.EDU (Alexey Chetroi)
Fri Dec 24 13:44:38 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.20.9912240849500.7988-100000@twilight.telco.md>
Date: Fri, 24 Dec 1999 08:51:21 +0200
Reply-To: Alexey Chetroi <lex@TWILIGHT.TELCO.MD>
From: Alexey Chetroi <lex@TWILIGHT.TELCO.MD>
X-To: David Malone <dwmalone@MATHS.TCD.IE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991222200112.A30322@walton.maths.tcd.ie>
On Wed, 22 Dec 1999, David Malone wrote:
> On Wed, Dec 22, 1999 at 04:47:25AM +0000, Desi Hacker wrote:
>
> > during the exploiting process.. the final step as instructed by the auther
> > doesn't work
> >
> > ftp> get "--use-compress-program=sh blah".tar
> > or
> > ftp> get "--use-compress-program=sh blah".tar
> >
> > instead is gives a warning of permission denied!
> > in case of anon ftp logging
>
> The ftpaccess man page contains the following example line:
>
> path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^\. ^-
>
> which disallows filenames starting with . or - to anonymous users.
> Maybe your ftpaccess line contains this?
it doesn't disallow filenames starting with . or -, it disallows filenames
with spaces
>
> David.
>
