Hi,
I've made a test setup with the default debian proftpd setup and tried
some exploit code.
With the default settings the proftp server becomes unresponsive for 10
minutes immediately after running the exploit code.
When I allow more clients it just takes a couple of more runs before
the server goes down.
When I change TimeoutNoTransfer, TimeoutStalled and TimeoutIdle I just
need more instances of the script running before the server becomes
unresponsive.
In my opinion this is not really a minor issue. Of course it gets
harder to exploit when you allow more clients or modify the timeout
values or you could do some sort of rate limiting with the firewall, but
I still think the priority should be a bit higher than the next point
release.
Regards,
Sander
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
