[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

system/2192: Security hole in ftp-proxy

To: gnats@openbsd.org
Subject: system/2192: Security hole in ftp-proxy
From: Frank Denis <j@pureftpd.org>
Date: 22 Nov 2001 12:55:49 +0100
Resent-Date: Thu, 22 Nov 2001 05:00:02 -0700 (MST)
Resent-From: gnats@cvs.openbsd.org (GNATS Management)
Resent-Message-Id: <200111221200.fAMC02KL008165@cvs.openbsd.org>
Resent-Reply-To: gnats@cvs.openbsd.org, Frank Denis <j@pureftpd.org>
Resent-To: bugs@cvs.openbsd.org


>Number:         2192
>Category:       system
>Synopsis:       Security hole in ftp-proxy
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Nov 22 05:00:01 MST 2001
>Last-Modified:
>Originator:     Jedi/Sector One
>Organization:
net
>Release:        OpenBSD 3.0
>Environment:
	System      : OpenBSD 3.0
	Architecture: OpenBSD.i386
	Machine     : i386
>Description:

ftp-proxy has a nice option (-A) to only allow anonymous connections.

However, this only check for /^USER anonymous/ or /^USER ftp/ .

Some buggy FTP daemons are triming spaces before commands. By adding an
extra space before "USER", ftp-proxy restrictions can be bypassed.

>How-To-Repeat:

USER nonanon
500 Only anonymous ftp is allowed

 USER nonanon
331 Password required for nonanon.
 
Successfully tested with proftpd 1.2.4 and ncftpd 2.7.0 .

>Fix:

Don't check for /^USER/i, check for /^\s*USER/i .

>Audit-Trail:
>Unformatted:

Prev by Date: (주)에덴힐에서 알려드립니다
Next by Date: system/2193: Wrong variable name in /etc/rc
Prev by thread: (주)에덴힐에서 알려드립니다
Next by thread: system/2193: Wrong variable name in /etc/rc
Index(es):
- Date
- Thread