Date: Fri, 23 Jun 2000 15:48:48 -0400 From: Mike Tancsa <mike@sentex.ca> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 Message-ID: <3.0.5.32.20000623154848.02d2d6c0@marble.sentex.ca> In-Reply-To: <200006231713.NAA49665@khavrinen.lcs.mit.edu> References: <Pine.BSF.4.21.0006222230390.65791-100000@achilles.silby.com> <4.2.2.20000622201823.0479a690@mail.sentex.net> <Pine.BSF.4.21.0006222230390.65791-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
What about
--enable-paranoid
as part of the config ? As so much seems to be related to the site exec
command, perhaps its best to just disable this ?
---Mike
At 01:13 PM 6/23/00 -0400, Garrett Wollman wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
><<On Thu, 22 Jun 2000 22:34:30 -0500 (CDT), Mike Silbersack
<silby@silby.com> said:
>
>> (Does anyone actually still run it?)
>
>Absolutely.
>
>Here's a patch (mangled by cut&paste) which hacks around the problem.
>Stick it in patches/patch-ftpcmd.y-MIT-IS for best results. This hack
>was put together by MIT Information Systems as a stopgap until the
>wu-ftpd developers come up with an official fix.
>
>*** src/ftpcmd.y.old Fri Jun 23 00:44:11 2000
>- --- src/ftpcmd.y Fri Jun 23 00:48:36 2000
>***************
>*** 1460,1469 ****
>- --- 1460,1474 ----
> if (wu_getline(cbuf, sizeof(cbuf) - 1, stdin) == NULL) {
> (void) alarm(0);
> reply(221, "You could at least say goodbye.");
> dologout(0);
> }
>+ else if (strchr(cbuf, '%')) {
>+ (void) alarm(0);
>+ reply(421, "The command line contained a %% character.");
>+ dologout(0);
>+ }
> #ifndef IGNORE_NOOP
> (void) alarm(0);
> #endif
> if ((cp = strchr(cbuf, '\r'))) {
> *cp++ = '\n';
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.1 (FreeBSD)
>Comment: For info see http://www.gnupg.org
>
>iD8DBQE5U5qlI+eG6b7tlG4RAqNBAJ9dLOLVO3hBhNM22gBMtrJYttCO0ACgobsD
>E9wtuVVqPIpjNoBO0hY3Dqo=
>=fbsD
>-----END PGP SIGNATURE-----
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>
>
>
------------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications mike@sentex.net
Cambridge, Ontario Canada www.sentex.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20000623154848.02d2d6c0>