[15450] in bugtraq
Re: WuFTPD: Providing *remote* root since at least1994
daemon@ATHENA.MIT.EDU (Peter Pentchev)
Fri Jun 23 17:11:19 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="yudcn1FV7Hsu/q59"
Content-Disposition: inline
Message-ID: <20000623181954.W5311@ringwraith.oblivion.bg>
Date: Fri, 23 Jun 2000 18:19:54 +0300
Reply-To: Peter Pentchev <roam@ORBITEL.BG>
From: Peter Pentchev <roam@ORBITEL.BG>
To: BUGTRAQ@SECURITYFOCUS.COM
--yudcn1FV7Hsu/q59
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
For a quick-and-dirty solution, apply the attached patch to
the source of wu-ftpd-2.6.0 release. It adds to the configure
script a --enable-nositecmd option, which disables all SITE *
commands without the adverse efffects of --enable-paranoid.
G'luck,
Peter Pentchev
----------------------------------------------
Hi! I'm an e-mail attachment virus! Copy me into your signature to help me spread!
--yudcn1FV7Hsu/q59
Content-Type: application/x-gunzip
Content-Disposition: attachment; filename="wu-ftpd-2.6.0+nositecmd.patch.gz"
diff -urN wu-ftpd-2.6.0/config.h.in wu-ftpd-2.6.0+nositecmd/config.h.in
--- wu-ftpd-2.6.0/config.h.in Sat Sep 18 17:26:10 1999
+++ wu-ftpd-2.6.0+nositecmd/config.h.in Fri Jun 23 18:10:44 2000
@@ -94,6 +94,13 @@
#undef PARANOID
/*
+ * NOSITECMD
+ * Disable SITE command family only
+ */
+
+#undef NOSITECMD
+
+/*
* SKEY
* Add SKEY support -- REQUIRES SKEY libraries
* See FIXES-2.4-HOBBIT for more information on this option.
diff -urN wu-ftpd-2.6.0/configure wu-ftpd-2.6.0+nositecmd/configure
--- wu-ftpd-2.6.0/configure Sun Oct 3 15:52:12 1999
+++ wu-ftpd-2.6.0+nositecmd/configure Fri Jun 23 18:10:44 2000
@@ -63,6 +63,8 @@
ac_help="$ac_help
--enable-paranoid disable some "questionable" features"
ac_help="$ac_help
+ --enable-nositecmd disable SITE family commands"
+ac_help="$ac_help
--enable-quota add QUOTA support (if your OS supports it)"
ac_help="$ac_help
--enable-pam add PAM support (needs PAM library)"
@@ -1506,6 +1508,14 @@
fi
+# Check whether --enable-nositecmd or --disable-nositecmd was given.
+if test "${enable_nositecmd+set}" = set; then
+ enableval="$enable_nositecmd"
+ nositecmd=$enableval
+else
+ nositecmd=no
+fi
+
# Check whether --enable-quota or --disable-quota was given.
if test "${enable_quota+set}" = set; then
enableval="$enable_quota"
@@ -3622,6 +3632,12 @@
if test $paranoid = yes; then
cat >> confdefs.h <<\EOF
#define PARANOID 1
+EOF
+
+fi
+if test $nositecmd = yes; then
+ cat >> confdefs.h <<\EOF
+#define NOSITECMD 1
EOF
fi
diff -urN wu-ftpd-2.6.0/configure.in wu-ftpd-2.6.0+nositecmd/configure.in
--- wu-ftpd-2.6.0/configure.in Sun Oct 3 15:52:12 1999
+++ wu-ftpd-2.6.0+nositecmd/configure.in Fri Jun 23 18:11:34 2000
@@ -120,6 +120,10 @@
[ --enable-paranoid disable some "questionable" features],
[ paranoid=$enableval ], [ paranoid=no ])
+AC_ARG_ENABLE(nositecmd,
+ [ --enable-nositecmd disable SITE family commands],
+ [ nositecmd=$enableval ], [ nositecmd=no ])
+
AC_ARG_ENABLE(quota,
[ --enable-quota add QUOTA support (if your OS supports it)],
[ quota=$enableval ], [ quota=no ])
@@ -731,6 +735,9 @@
fi
if test $paranoid = yes; then
AC_DEFINE(PARANOID)
+fi
+if test $nositecmd = yes; then
+ AC_DEFINE(NOSITECMD)
fi
if test $quota != no; then
AC_CHECK_HEADERS(sys/quota.h sys/fs/ufs_quota.h ufs/quota.h jfs/quota.h ufs/ufs/quota.h linux/quota.h)
diff -urN wu-ftpd-2.6.0/src/ftpcmd.y wu-ftpd-2.6.0+nositecmd/src/ftpcmd.y
--- wu-ftpd-2.6.0/src/ftpcmd.y Wed Oct 13 18:15:28 1999
+++ wu-ftpd-2.6.0+nositecmd/src/ftpcmd.y Fri Jun 23 18:12:10 2000
@@ -1518,7 +1518,8 @@
p = lookup(sitetab, cp);
cbuf[cpos] = c;
if (p != 0) {
-#ifndef PARANOID /* what GOOD is SITE *, anyways?! _H */
+#if !(defined(PARANOID) || defined(NOSITECMD))
+ /* what GOOD is SITE *, anyways?! _H */
if (p->implemented == 0) {
#else
if (1) {
@@ -1864,7 +1865,7 @@
void site_exec(char *cmd)
{
-#ifdef PARANOID
+#if defined(PARANOID) || defined(NOSITECMD)
syslog(LOG_CRIT, "REFUSED SITE_EXEC (slipped through!!): %s", cmd);
#else
char buf[MAXPATHLEN];
--yudcn1FV7Hsu/q59--
