[13095] in bugtraq
Re: Multiple vulnerabilites in glFtpD (current versions)
daemon@ATHENA.MIT.EDU (Per Lejontand)
Fri Dec 24 13:45:49 1999
Mail-Followup-To: suid <suid@SUID.KG>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991223222957.Q19537@alc.silicon.nu>
Date: Thu, 23 Dec 1999 22:29:57 +0100
Reply-To: Per Lejontand <pele@ACC.UMU.SE>
From: Per Lejontand <pele@ACC.UMU.SE>
X-To: suid <suid@SUID.KG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.20.9912231131330.22882-100000@jawa.chilli.net.au>;
from suid@SUID.KG on Thu, Dec 23, 1999 at 11:31:53AM +1100
at Thu, Dec 23, 1999 at 11:31:53AM +1100 suid wrote:
> 3) SITE ZIPCHK command:
>
> The SITE command ZIPCHK can be used to check the validity of a ZIP file on a server.
> Presumably this is so you can make sure the ZIP file you are about to download is valid
> and free from error. The way this works is thus:
>
> glFtpD user does:
> ftp> quote SITE ZIPCHK XXXXX.ZIP
>
> glFtpD then runs a shell script with XXXXX.ZIP as argv[1] or 2.
> which calls /bin/unzip etc etc.
>
> If a user is able to create a filename with ";" characters in the name, they can
> execute arbitrary code on the remote server with the privelege level of the server.
Easy fix should be override the command in glftpd.conf (or equivalent) with
something like:
site_cmd ZIPCHK TEXT /ftp-data/misc/disabled
Wich causes a textfile to be displayed rather then a command executed.
--
//Per
.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,
Per Lejontand, Student of Computer science, Admin @ {acc,ltlab}.umu.se
Phone: +46-70-2163191
*** Stay away from hurricanes for a while.
