Another examples of bad coding in ftp daemons, proftpd-1.2.0rc2 in this case. main.c:659: void main_exit(void *pv, void *lv, void *ev, void *dummy) { int pri = (int) pv; char *log = (char *) lv; int exitcode = (int) ev; log_pri(pri, log); /* here */ main_exit() is called by shutdown_exit() at main.c:708, with formatted shutdown message, which *can* contain user-suppiled data (cwd). Almost impossible to exploit. main.c:803 if(MODRET_ERRNUM(mr) && MODRET_ERRMSG(mr)) /* here */ add_response_err(MODRET_ERRNUM(mr),MODRET_ERRMSG(mr)); else if(MODRET_ERRMSG(mr)) /* here */ send_response_raw(MODRET_ERRMSG(mr)); MODRET_ERRMSG argument is prepared by ERROR_MSG called from module. Default and contributed modules doesn't return any user suppiled values in error messages. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: [EMAIL PROTECTED] ** PGP: D48684904685DF43EA93AFA13BE170BF *