Hi all, Long arguments for USER, PASS, PORT, DELE, REST, RMD, and MKD (perhaps others as well) sent to CesarFTPd (www.aclogic.com) will cause a stack overflow. I e-mailed the vendor almost 2 weeks ago and have recieved no response. :-/ Cerberus FTPd (mentioned in some-one's BugTraq post earlier - I forget who), has a couple of other overflows which weren't mentioned (PASS <long>, PASV\n x (lots), etc) and this vendor is also irresponsive. It seems that developers who make free software for the Win32 platform tend to believe that because their product is free, they don't have to maintain it at all, nor release source so that other people can. :-/ Anyway, these two daemons should be considered insecure - don't run them. Cheers, Andrew Lewis -- wizdumb at leet dot org http://www.mdma.za.net/fk
This archive was generated by hypermail 2b30 : Wed Jul 04 2001 - 14:13:19 PDT