Re: ... / wu-ftpd <=2.5 / ...

From: Volker Borchert (btat_private)
Date: Wed Aug 25 1999 - 02:48:18 PDT

Next message: Bronek Kozicki: "Re: IE 5.0 allows executing programs"

Previous message: Ciaran.Deignanat_private: "AIX security summary"
Next in thread: Gregory A Lundberg: "Re: ... / wu-ftpd <=2.5 / ..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

|> ----------------------------
|> wu-ftpd 2.5, VR and BeroFTPD
|> ----------------------------

*** ftpd.c	Sun Jun  6 15:20:21 1999
--- ftpd_patched.c	Sun Jun  6 15:15:03 1999
***************
*** 1245,1251 ****
        /* append the dir part with a leading / unless at root */
        if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
                strcat( mapped_path, "/" );
!       strcat( mapped_path, dir );
  }

  int
--- 1245,1254 ----
        /* append the dir part with a leading / unless at root */
        if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
                strcat( mapped_path, "/" );
!       if ( strlen(mapped_path) + strlen (dir) < 4095 )
!               strcat( mapped_path, dir );
!       else
!         syslog(LOG_ERR, "FTP mapped_path attack ");
  }

  int

This patch has a serious flaw - like making the wolf your shepherd:
the hard coded "4095" buffer size. See line 1200:

	char mapped_path[ MAXPATHLEN ] = "/";

For example, on this here machine running SunOS 5.6, MAXPATHLEN is
1024. Use "sizeof(mapped_path)" instead.

(BTW, your diff contains DOS style "cr/lf" sequences, so anyone
 willing to apply it should pipe it into "patch" via "dos2unix".)

	vb

Next message: Bronek Kozicki: "Re: IE 5.0 allows executing programs"
Previous message: Ciaran.Deignanat_private: "AIX security summary"
Next in thread: Gregory A Lundberg: "Re: ... / wu-ftpd <=2.5 / ..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:16 PDT