ftpd security issue ?

Mike Tancsa mike at sentex.net
Thu Dec 1 01:38:13 UTC 2011

On 11/30/2011 8:16 PM, Xin LI wrote:
> Sorry I patched at the wrong place, this one should do.
> Note however this is not sufficient to fix the problem, for instance
> one can still upload .so's that run arbitrary code at his privilege,
> which has to be addressed in libc.  I need some time to play around
> with libc to really fix this one.

	Yes, that looks better!  With respect to users uploading .so files, I
guess why not just upload executables directly ?  Although I suppose if
they are not allowed to execute anything, this would be a way around that.

Now to prod the proftpd folks


Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

More information about the freebsd-security mailing list