Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Glftpd privpath bugs... +fix

From: raymond () THRIJSWIJK NL (Raymond Dijkxhoorn)
Date: Mon, 26 Jun 2000 10:54:25 +0200

Hi!

Glftpd 1.18 till 1.21b8 (current beta) have a serious problem with the
privpath directives....

It will probably be fixed in the comming 1.21b9 but i have included a
quick fix in this one to prevent exploits of this bug. Thanx for Hoopy for
the quick fix (glftpd dev team).

Problem:

When you know the private dir names on a site, or groupdirs you can ust
'try' to get in .. and its very easy. If you know the name of groupdir you
can simply change into it using the completion function on glftpd.

If you have a private dir / group dir:

For example....

/Groups/Mygroup and you have a dir named 'test' there.

you can simply jump to it by typing 'chdir /Groups/Mygroup/t
glftpd does not check if you have the proper rights to see the dir, it
just hops in there without any problem. So if you try a-9 on the dirnames
you can see all stuff inside a private dir,, takes some time, but with a
nice script its not that hard... ;-)

Fix:

Put in the attached fix, instructions are also inside the .c file.
It wil ONLY exploiting of the bug on glftpd 1.20 and above, so if you're
running <<1.20 then upgrade to the latest version. I'll post a short note
when the fixed binary is out also....

In the glftpd.conf: cscript cwd pre /bin/leakfix

Bye,
Raymond Dijkxhoorn.

<HR NOSHADE>
<UL>
<LI>TEXT/PLAIN attachment: leakfix.c
</UL>
Previous By Date Next
Previous By Thread Next

Current thread: