Re: ftpd security issue ?



On 11/30/2011 8:16 PM, Xin LI wrote:

Sorry I patched at the wrong place, this one should do.

Note however this is not sufficient to fix the problem, for instance
one can still upload .so's that run arbitrary code at his privilege,
which has to be addressed in libc. I need some time to play around
with libc to really fix this one.

Hi,
Yes, that looks better! With respect to users uploading .so files, I
guess why not just upload executables directly ? Although I suppose if
they are not allowed to execute anything, this would be a way around that.

Now to prod the proftpd folks

---Mike


--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@xxxxxxxxxx
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"