Debian, Re: wuftp2.4.2academ beta 12-18 exploit

[msm () TONELLI SNS IT (A Mennucc1)]

On Mon, May 03, 1999 at 08:11:00PM -0400, Gregory Newby wrote:
> Workaround:
>
> wu-ftpd and variants that use files /etc/ftp* for configuration
> can easily help protect you against the many recent variants that
> exploit buffer overflows with MKDIR.  All the varieties I've
> seen require creating a directory or file - that's where the
> overflow happens.
>
> In /etc/ftpaccess, you have the option to specify SNIP
> mkdir           no              anonymous
> upload          no              anonymous

beware for Debian GnuLinux
(my version is  wu-2.4.2-academ[BETA-16]):
the line  mkdir... is silently ignored and has no effect
and the line upload... has a completely different syntax:
``` upload  <root-dir>  <dirglob>  <yes|no>  <owner>  <group>
            <mode> ["dirs"|"nodirs"]
                Define  a  directory  with  <dirglob> that permits or
                denies uploads.
'''                             
                                

a.m.
--
Legal Warning: Anyone sending me unsolicited/commercial email WILL be charged
a $100 proof-reading fee.  Do NOT send junk email to me - consider this an
official notice:

"By US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the
 definition of a telephone fax machine.  By Sec.227(b)(1)(C), it is unlawful
 to send any unsolicited advertisement to such equipment.  By Sec.227(b)(3)(C),
 a violation of the aforementioned Section is punishable by action to recover
 actual monetary loss, or $500, whichever is greater, for each violation."