On Wed, 22 Dec 1999, Desi Hacker wrote: > during the exploiting process.. the final step as instructed by the auther > doesn't work > > ftp> get "--use-compress-program=sh blah".tar > or > ftp> get "--use-compress-program=sh blah".tar > > instead is gives a warning of permission denied! > in case of anon ftp logging The author made it fairly clear that this exploit applied to non-anonymous accounts, which are more trusted by default than the anonymous FTP account. The exploit should also fail for anonymous users in the next step which requires rights to do a SITE CHMOD. The moral of the exploit seems to be that you shouldn't trust people with non-anon FTP access who you wouldn't trust with shell accounts.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:35 PDT