Re: WU-ftpd Upload Ownership/Permissions Bug

[andrewr () alpha1 excell net (Juan Valdez)]

After reading the original WU-ftpd post by Michael Brennen, then reading
this one, I thank him greatly for making sure that we all were informed
about this error on his behalf.  While I dont make advisory posts here,
I do feel we all could learn from this.  To take a look at what we have
noted as a hole, and then recheck it to make sure there are no mistakes.

Just some thoughts in the back of muh head

andrewr


Michael Brennen wrote:
> After looking further into the wu-ftpd bug I reported last week, I
> realized that many sites may not be vulnerable to the bug that I reported.
>
> In retrospect I realized that I had recently added the /./ to the end of
> the anonymous ftp path in /etc/passwd while rearranging the ftp user.  I
> certainly had no idea that it would break the upload directive code and
> found it quite by accident.  The code does not expect /./ at the end of
> the anonymous ftp path and does not behave correctly if it exists.
>
> The argument could be made that the /./ should never [need to] be on the
> anonymous ftp path since it is always chrooted.  Given the unexpected
> consequences of placing it there, and that adding the patch does not alter
> functionality if /./ is not there, I would argue that the source change
> should be made in the eventuality that someone puts /./ on their anon ftp
> path.
>
> anonymous is a chrooted account, and it would be easy to think you needed
> the /./.  If /./ is added, it unexpectedly changes the behaviour of the
> daemon for the worse.  That hole should be closed.
>
> A better patch against the original source is below; reverse the first
> before applying this one.
>
>    -- Michael