ftpd security issue ?
mike at sentex.net
Thu Dec 1 01:38:13 UTC 2011
On 11/30/2011 8:16 PM, Xin LI wrote:
> Sorry I patched at the wrong place, this one should do.
> Note however this is not sufficient to fix the problem, for instance
> one can still upload .so's that run arbitrary code at his privilege,
> which has to be addressed in libc. I need some time to play around
> with libc to really fix this one.
Yes, that looks better! With respect to users uploading .so files, I
guess why not just upload executables directly ? Although I suppose if
they are not allowed to execute anything, this would be a way around that.
Now to prod the proftpd folks
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-security