Bugtraq mailing list archives
Re: Multiple vendors FTP denial of service
From: Stefan Laudat <stefan () WORLDBANK RO>
Date: Wed, 21 Mar 2001 00:55:03 +0200
Hi Aleph, Please add this to the 'quick fix collection'. Thanks.
ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*disable globbing symbols with: DenyFilter "[\*\?]" ?
... and as a quick fix for nasty shell users having bash prompts on your machine, just enter 'set -f' in the /etc/profile. Of course, until we will get a fixed bash or a fixed libc(?). For tcsh users set the "noglob" shell variable and kindly RTFM if you have further questions. For zsh just use noglob command (man zshmisc). These disable globbing in some of the most popular shells so your machine is a bit secure to this attack. PS. Cisco IOS implementation of flash hierarchical filesystem looks NOT to be vulnerable, although they implement globbing too. -- Stefan Laudat CCNA & CCAI ------------- There's more than one way to skin a cat: Way number 15 -- Krazy Glue and a toothbrush.
Current thread:
- Re: Multiple vendors FTP denial of service, (continued)
- Re: Multiple vendors FTP denial of service Elias Levy (Mar 19)
- Bash memory exhaustion (was Re: Multiple vendors FTP denial of service) Nick Lamb (Mar 20)
- Re: Multiple vendors FTP denial of service The Flying Hamster (Mar 21)
- Re: Multiple vendors FTP denial of service Elias Levy (Mar 19)
- Re: Multiple vendors FTP denial of service Mike Gleason (Mar 16)
- Re: Multiple vendors FTP denial of service Crist Clark (Mar 19)
- Re: Multiple vendors FTP denial of service JT (Mar 19)
- Re: Multiple vendors FTP denial of service D. J. Bernstein (Mar 19)
- Re: Multiple vendors FTP denial of service jedi (Mar 20)
- Re: Multiple vendors FTP denial of service Pawel Wilk (Mar 20)
- Re: Multiple vendors FTP denial of service Interstellar Overdrive (Mar 23)
- Re: Multiple vendors FTP denial of service Stefan Laudat (Mar 21)
- Re: Multiple vendors FTP denial of service Nate Eldredge (Mar 22)
- Re: Multiple vendors FTP denial of service peterw (Mar 22)
- Re: Multiple vendors FTP denial of service Markku Savela (Mar 22)
- Multiple vendors FTP denial of service Peter Timothey Hessler (Mar 21)