Bugtraq mailing list archives
Re: The old "." problem
From: sfaust () ISI-MTL COM (S.Faust)
Date: Sat, 16 Oct 1999 20:02:27 -0400
What version of Serv-U did you test? On my side with the latest version ( as of 16/10/99 ) it did'nt work. Log: C:\TEMP\test>ftp slaughter Connected to slaughter. 220 Serv-U FTP-Server v2.5a for WinSock ready... User (slaughter:(none)): test 331 User name okay, need password. Password: 230 User logged in, proceed. ftp> cd test 250 Directory changed to /c:/ftp/test ftp> ls -l 200 PORT Command successful. 150 Opening ASCII mode data connection for /bin/ls. -rwx------ 1 user group 0 Oct 16 19:50 servu-ftpd-dot-test.txt 226 Transfer complete. 80 bytes received in 0.00 seconds (80000.00 Kbytes/sec) ftp> get servu-ftpd-dot-test.txt 200 PORT Command successful. 550 Permission denied. ftp> get servu-ftpd-dot-test.txt. 200 PORT Command successful. 550 Permission denied. ftp> get servu-ftpd-dot-test.txt.. 200 PORT Command successful. 550 Permission denied. ftp> get servu-ftpd-dot-test.txt....................................... 200 PORT Command successful. 550 Permission denied. ftp> ----- Original Message ----- From: <nblasgen () NICK REFRACT COM> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Wednesday, October 13, 1999 6:31 PM Subject: The old "." problem
A while back there was the problem of Windows HTTP servers with CGI and other sever parsed pages (ASF, SMX, etc) if you added a "." to the end it would give you the raw code in TEXT format. I understand how that was a security problem. Just noticed that the same problem is true for at least one Windows FTP server, Serv-U. I can't find a problem with being able to request files with a extra "." at the end. I was unable to test the idea of downloading files that I had no permissions too. Nicholas Blasgen Refract, LLC
Current thread:
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow, (continued)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Ralph the Wonder Llama (Oct 12)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Bela Lubkin (Oct 12)
- Xerox DocuColor 4 LP D.O.S Jason Lutz (Oct 13)
- Security of "Virtual Network Computer" Mikael Olsson (Oct 12)
- Re: Security of "Virtual Network Computer" Cameron Simpson (Oct 12)
- Re: Security of "Virtual Network Computer" Dan Foster (Oct 12)
- Re: Security of "Virtual Network Computer" Luca Berra (Oct 13)
- Finjan Alert: WinNT.Infis Trojan by way of Tim Wieneke (Oct 13)
- The old "." problem nblasgen () NICK REFRACT COM (Oct 13)
- Re: The old "." problem David Zverina (Oct 14)
- Re: The old "." problem S.Faust (Oct 16)
- Gauntlet 5.0 BSDI warning Keith Young (Oct 18)
- Re: Gauntlet 5.0 BSDI warning Strange (Oct 18)
- Re: Gauntlet 5.0 BSDI warning Keith Young (Oct 18)
- Email virus on the prowel Albert Hopkins (Oct 19)
- Another Microsoft Java Flaw Disovered Gary McGraw (Oct 14)
- Administrivia Elias Levy (Oct 14)