Re: Multiple vendors FTP denial of service

From: Alun Jones (alunat_private)
Date: Mon Apr 23 2001 - 07:27:20 PDT

Next message: Asher Glynn: "(SRPRE00001) phpMyAdmin 2.1.0 and phpPgAdmin 2.2.1"

Previous message: Matthew Rench: "Re: Bug in Cisco CBOS v2.3.0.053"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> a quick note, Winsock FTPD 3.00 pro and 2.41 
(maybe prior) are vulnerable

Thanks for the note - we released 3.00 R4 last week 
to fix this vulnerability.  [We now refuse to list any 
parameter list containing "/.."]

> PS: Serv-U ftp doesn't seem to be vulnerable

No duh - Serv-U doesn't bother to expand wildcards 
in non-terminal path elements.  I spent a good couple 
of hours putting the code into WFTPD to do that, for 
one particular customer's requirement.  Note - there 
is no "glob" in Windows (at least, not that works this 
way), and so we're apparently _not_ vulnerable to the 
other glob problem reported elsewhere.

Alun.
~~~~

Next message: Asher Glynn: "(SRPRE00001) phpMyAdmin 2.1.0 and phpPgAdmin 2.2.1"
Previous message: Matthew Rench: "Re: Bug in Cisco CBOS v2.3.0.053"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 11:09:47 PDT