> > i tested an old proftpd bug (ls /../*/../*/../*/../*/../*/../*/../*) on = > many new Linux-Dist.. When a user logged in in ftp and type > the ls command the in.ftpd takes over 90 percent cpu-usage and execute = > the command 2 or 3x than the full system hang up. it also works in = > console. I wonder that is not fixed. THIS BUG IS OLD. POSTED ON BUGTRAQ = > in march 01, but > it still works so i post it again. > > affected: > > RedHat Linux 7.x > Linux Mandrake 8.0 > SuSE Linux 7.2 I wonder when or where you tested this. The proftpd package that can be found in the /pub/suse/<arch>/update/*/n1/ directories on ftp.suse.com (age: May 9th) do not show this behaviour and appears to be sane. [...] > Fix: > > set cpu-limit for your anonymous user. I doubt that this solution is very efficient if you provide automatic gzip (and maybe tar) service so that your users can get a directory recursively in form of a tarfile by using the command get directory_name.tar.gz You'd have to choose... Also recommended: DenyFilter "%" if there are more format string errors in the code, this might be an easy workaround until the code is fixed in the right place. Roman. -- - - | Roman Drahtmüller <drahtat_private> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 17:10:54 PDT