Another examples of bad coding in ftp daemons, proftpd-1.2.0rc2 in this case.
main.c:659:
void main_exit(void *pv, void *lv, void *ev, void *dummy)
{
int pri = (int) pv;
char *log = (char *) lv;
int exitcode = (int) ev;
log_pri(pri, log); /* here */
main_exit() is called by shutdown_exit() at main.c:708, with formatted
shutdown message, which *can* contain user-suppiled data (cwd). Almost
impossible to exploit.
main.c:803
if(MODRET_ERRNUM(mr) && MODRET_ERRMSG(mr))
/* here */ add_response_err(MODRET_ERRNUM(mr),MODRET_ERRMSG(mr));
else if(MODRET_ERRMSG(mr))
/* here */ send_response_raw(MODRET_ERRMSG(mr));
MODRET_ERRMSG argument is prepared by ERROR_MSG called from module.
Default and contributed modules doesn't return any user suppiled values
in error messages.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: [EMAIL PROTECTED] ** PGP: D48684904685DF43EA93AFA13BE170BF *
