On Fri, 12 Feb 1999, Henrik Storner wrote: > I looked into the patch that Red Hat included with the new wu-ftpd > package. > It does implement some checking of the parameters given to the ftp > daemon's realpath() routine; however, at the very top of this routine > there > is an unguarded "strcpy(currpath, pathname)" - the currpath buffer is > declared > locally of size MAXPATHLEN (4K on Linux, it seems). > > It looks as if it is still vulnerable. I think that You are wrong. Look at the ftpd.c code. The *pathname can only have up to 250 chars while curpath[1024] ;) --- Tomasz Grabowski (0-91)4333950 Akademickie Centrum Informatyki mailto:cadenceat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:35:23 PDT