Home page logo
/

bugtraq logo Bugtraq mailing list archives

DoS in debian (potato) proftpd
From: Joe Dollard <joed () devel livenote com>
Date: Tue, 26 Mar 2002 07:14:31 +1100

Hi guys,
        The version of proftp that is in debian potato (1.2.0pre10 as reported by running 'proftpd -v ') is vulnerable 
to a glob DoS attack, as discovered on the 15th March 2001. You can verify this bug by logging in to a server running 
debian stable's proftpd and type "ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*".  This results with 
100% of the CPU and memory resources being consumed (more info at http://proftpd.linux.co.uk/critbugs.html), 

A temporary workaround for this issue is to add DenyFilter \*.*/ into your proftp configuration file. 

I notifed security () debian org on the 12th of February (2002) about this problem and a discussion was entered into 
but no resolution occurred.  I contacted security () debian org again on the 21st of FEbruary and didn't receive a 
reply.  After posting to vuln-dev () securityfocus com on the 1st of March, I was told on the 7th of March that the 
package maintainer was working on a fix.  Now, over a year after the bug has been discovered, and over 5 weeks since I 
first contacted debian about it, no fix is in place in debian potato. Hopefully posting here will speed things up a bit.

Regards,
Joe Dollard


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault