From owner-freebsd-security  Mon Mar  5 23:24:53 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
	by hub.freebsd.org (Postfix) with SMTP id 657AB37B719
	for <freebsd-security@FreeBSD.ORG>; Mon,  5 Mar 2001 23:24:47 -0800 (PST)
	(envelope-from roam@orbitel.bg)
Received: (qmail 18092 invoked by uid 1000); 6 Mar 2001 07:24:20 -0000
Date: Tue, 6 Mar 2001 09:24:20 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: Adam <bsdx@looksharp.net>,
	"Riley J. McIntire" <rjmcintire@earthlink.net>,
	"Aaron D.Gifford" <agifford@infowest.com>,
	freebsd-security@FreeBSD.ORG
Subject: Re: ftp access
Message-ID: <20010306092420.A17428@ringworld.oblivion.bg>
Mail-Followup-To: Dag-Erling Smorgrav <des@ofug.org>,
	Adam <bsdx@looksharp.net>,
	"Riley J. McIntire" <rjmcintire@earthlink.net>,
	"Aaron D.Gifford" <agifford@infowest.com>,
	freebsd-security@FreeBSD.ORG
References: <Pine.BSF.4.33.0103052126390.13417-100000@turtle.looksharp.net> <xzp4rx71u1j.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <xzp4rx71u1j.fsf@flood.ping.uio.no>; from des@ofug.org on Tue, Mar 06, 2001 at 03:59:52AM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Mar 06, 2001 at 03:59:52AM +0100, Dag-Erling Smorgrav wrote:
> Adam <bsdx@looksharp.net> writes:
> > What happens if they have a valid ftp account, login, and run !sh ?
> 
> They get a shell on the box they're FTPing from.

..which happens to be the box they logged in *to*, since /usr/bin/ftp
is effectively their login shell.  Yes, that's bad.

G'luck,
Peter

-- 
I've heard that this sentence is a rumor.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message