[BlueOnyx:02207] Re: Possible ProFTPD vuln?
Michael Stauber
mstauber at blueonyx.it
Wed Aug 26 09:13:27 -05 2009
Hi DD,
> I received this from McAfee Secure this morning - they scan one of our
> client's websites:
>
> ---- 8< ----
> The remote host is using ProFTPD, a free FTP server for Unix and Linux.
> The version of ProFTPD running on the remote host splits an overly long FTP
> command into a series of shorter ones and executes each in turn. If an
> attacker can trick a ProFTPD administrator into accessing a
> specially-formatted HTML link, he may be able to cause arbitrary FTP
> commands to be executed in the context of the affected application with the
> administrator's privileges.
>
> Apply the patch included in the bug report or upgrade to the latest version
> in CVS. Fix is avalible on cvs:
> http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c
> http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/extern.h
> http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y
> ---- >8 ----
>
> Is this already available/pending as part of a YUM update?
BlueOnyx uses ProFTPd 1.3.2a, which is the latest version of ProFTPd. It was
released by proftpd.org on 30th June 2009.
The SVN commits that your message mentions were made 11 months ago.
So yeah, these updates are already included in "our" ProFTPd.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list