PROFTPD
shrek-m at gmx.de
shrek-m at gmx.de
Thu Oct 23 15:36:19 UTC 2003
Res wrote:
>On Thu, 23 Oct 2003, Chris Ricker wrote:
>
>
>>On Thu, 23 Oct 2003, Res wrote:
>>
>>
>>>ProFTPd has always had a good security track record
>>>
>>>
>>That's true. I don't think a remote root exploit has found in it more
>>recently than four weeks ago.
>>
>>
>>
>
>twas local IIRC. and the first in how long :)
>
>
http://www.iss.net/search.php?config=corporate&pattern=proftpd&x=0&y=0
----
Internet Security Systems Security Brief
September 23, 2003
ProFTPD ASCII File Remote Compromise Vulnerability
Synopsis:
ISS X-Force has discovered a flaw in the ProFTPD Unix FTP server. ProFTPD
is a highly configurable FTP (File Transfer Protocol) server for Unix
that allows for per-directory access restrictions, easy configuration of
virtual FTP servers, and support for multiple authentication mechanisms.
A flaw exists in the ProFTPD component that handles incoming ASCII file
transfers.
Impact:
An attacker capable of uploading files to the vulnerable system can
trigger a buffer overflow and execute arbitrary code to gain complete
control of the system. Attackers may use this vulnerability to destroy,
steal, or manipulate data on vulnerable FTP sites.
Affected Versions:
ProFTPD 1.2.7
ProFTPD 1.2.8
ProFTPD 1.2.8rc1
ProFTPD 1.2.8rc2
ProFTPD 1.2.9rc1
ProFTPD 1.2.9rc2
Note: Versions previous to version 1.2.7 may also be vulnerable.
For the complete ISS X-Force Security Advisory, please visit:
http://xforce.iss.net/xforce/alerts/id/154
----
Date Reported: 06/19/2003
Brief Description: ProFTPD mod_sql SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, ProFTPD 1.2.9rc1 and earlier,
Unix Any version
Vulnerability: proftpd-modsql-sql-injection
X-Force URL: http://www.iss.net/security_center/static/12369.php
----
--
shrek-m
More information about the fedora-test-list
mailing list