> Workaround: > > wu-ftpd and variants that use files /etc/ftp* for configuration > can easily help protect you against the many recent variants that > exploit buffer overflows with MKDIR. All the varieties I've > seen require creating a directory or file - that's where the > overflow happens. > > In /etc/ftpaccess, you have the option to specify what commands > may and may not be run by particular users. Just add lines to > specify that user anonymous (or whatever others you want) cannot > put, delete, mkdir, etc. > > E.g., lines like these: > > chmod no anonymous > delete no anonymous > overwrite no anonymous > rename no anonymous > mkdir no anonymous > upload no anonymous if you still want to let anonymous users create directories, take a look at path-filter option for that very same file. # path-filter... path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^- when i tried the exploit on myself i got alot of "Permission denied (pathname)", so at least it seems to work.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:05 PDT