[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DoS due to GNU globbing functions
From: |
Rob klein Gunnewiek |
Subject: |
Re: DoS due to GNU globbing functions |
Date: |
Sun, 15 Dec 2002 01:18:01 +0100 (MET) |
www.proftpd.net:
In summary, we would like to reiterate that this "vulnerability"
has been a non-issue for quite some time. Furthermore, we suggest
that Mr. Gunnewiek check his facts in the future before he engages
in handwaving and publicity-seeking.
In summary, we would like to reiterate that this "vulnerability"
has been a non-issue for quite some time. Furthermore, we suggest
that Mr. Gunnewiek check his facts in the future before he engages
in handwaving and publicity-seeking.
Shut the fuck up! I'll keep 0day next time!!!
This "vulnerability" smashed up my system so obviously the bug wasn't
fixed. About publicity-seeking... remove my fucking name!
Why the fuck do you think i'm seeking publicity when you write my name 4
times on your front page. And the bug is soooo obvious it shouldn't have
been there in the first place, BIG SCHANDAL!!! Finding such a bug is sooo
easy that it doesn't even deserve credit. If you think this bug ain't
there, then why do you care? I DONT
I suggest you sed index.html and remove my name there!
I shouldn't have disclosed this on the bugtraq before handling this with
you, but YOU shouldn't react this way.
I forgot about address@hidden from now on, next time my infoz go
straight into the underground
On Thu, 12 Dec 2002, Rob klein Gunnewiek wrote:
> Hello,
>
> I discovered a DoS vulnerability in ProFTPd 1.2.5 and 1.2.7rc3 which use
> the GLIBC globbing functions.
> TJ Saunders pointed out to me that the DoS vulnerability was caused by the
> globbing functions in GLIBC used by ProFTPD, which makes this
> vulnerability likely to exist in other software as well.
>
> The method used was:
>
> STAT /*/*/*/*/*/*/*
> or
> LIST /*/*/*/*/*/*/*
>
> Note: this method seems to be different than:
>
> LIST ../*/../*/../*/../*
>
> and the like vulnerabilities reported awhile ago.
>
> I have only tested this against slackware 8.1 default install + proftpd
> v1.2.4 and 1.2.7rc3.
>
> Rob.
>
>
>