[19775] in bugtraq
Re: Multiple vendors FTP denial of service
daemon@ATHENA.MIT.EDU (Markku Savela)
Thu Mar 22 14:40:41 2001
Mime-Version: 1.0 (generated by tm-edit 7.106)
Content-Type: text/plain; charset=US-ASCII
Message-ID: <200103212229.AAA26445@burp>
Date: Thu, 22 Mar 2001 00:29:46 +0200
Reply-To: Markku.Savela@iki.fi
From: Markku Savela <msa@BURP.TKV.ASDF.ORG>
X-To: stefan@WORLDBANK.RO
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010321005503.C10841@worldbank.ro> (message from Stefan Laudat
on Wed, 21 Mar 2001 00:55:03 +0200)
> > > ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
> > disable globbing symbols with: DenyFilter "[\*\?]" ?
> ... and as a quick fix for nasty shell users having bash prompts on your machine, just
> enter 'set -f' in the /etc/profile. Of course, until we will get a fixed bash or
> a fixed libc(?).
Is this the same ages old bug of too simple minded wild card matching
algorithm (plagued IRC years ago and was trivially fixed by a globbing
algorithm, that didn't have this problem). I would have expected libs
to have been fixed already...
To test if your system/shell has a bad globbing algorithm, just do
touch aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
ls *a*a*a*a*a*a*a*a*a*a*a*a*a*a*b*
and see if it freezes...
