On 3/29/02 3:40 PM martin f krafft said...
dear bugtraq'ers,
i must confess that the information i provided wrt the acclaimed DoS
exploit in Debian potato's proftpd package (1.2.0pre10-2.0potato1) was
not fully accurate. the package *does in fact contain a buggy daemon*
despite having been
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Also tested, and vulnerable on:
FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002
[EMAIL PROTECTED]:/usr/src/sys/compile/GENERIC i386
Tested using the shells bash, csh, ksh, zsh.
Chip
- -
Chip McClure
Sr. Unix
also sprach Alun Jones [EMAIL PROTECTED] [2002.04.04.0445 +0200]:
DenyFilter \*.*/
Just as a quick question, why not deny the string /../ (you may have to
deny the regex /\.\./, depending how the filter in question works)?
quick answer: because i merely copied the fix from the security
This is, to put it politely, incredibly old news. Let's face it, if you give
a user a shell acount, with no restrictions on CPU time or memory usage,
yes, they will be able to suck up as much resources as the computer can
spare (this is, among other reasons why nice exists). I advise you place
On 3/29/02 3:40 PM martin f krafft said...
dear bugtraq'ers,
i must confess that the information i provided wrt the acclaimed DoS
exploit in Debian potato's proftpd package (1.2.0pre10-2.0potato1) was
not fully accurate. the package *does in fact contain a buggy daemon*
despite having been
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Also tested, and vulnerable on:
FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002
[EMAIL PROTECTED]:/usr/src/sys/compile/GENERIC i386
Tested using the shells bash, csh, ksh, zsh.
Chip
- -
Chip McClure
Sr. Unix
also sprach Alun Jones [EMAIL PROTECTED] [2002.04.04.0445 +0200]:
DenyFilter \*.*/
Just as a quick question, why not deny the string /../ (you may have to
deny the regex /\.\./, depending how the filter in question works)?
quick answer: because i merely copied the fix from the security
This is, to put it politely, incredibly old news. Let's face it, if you give
a user a shell acount, with no restrictions on CPU time or memory usage,
yes, they will be able to suck up as much resources as the computer can
spare (this is, among other reasons why nice exists). I advise you place
At 03:40 PM 3/29/2002, martin f krafft wrote:
ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
...
DenyFilter \*.*/
Just as a quick question, why not deny the string /../ (you may have to
deny the regex /\.\./, depending how the filter in question works)?
As far as I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello All,
I can confirm that the ls strings dos' slackware 8.0. Causes shell process of that
user (user or root) to chew up the cpu until the shell terminates on sig 11.
Works on any shell the user is using, csh, ksh, bash
Tested on:
Linux
At 03:40 PM 3/29/2002, martin f krafft wrote:
ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
...
DenyFilter \*.*/
Just as a quick question, why not deny the string /../ (you may have to
deny the regex /\.\./, depending how the filter in question works)?
As far as I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello All,
I can confirm that the ls strings dos' slackware 8.0. Causes shell process of
that user (user or root) to chew up the cpu until the shell terminates on sig
11.
Works on any shell the user is using, csh, ksh, bash
Tested on:
Linux
dear bugtraq'ers,
i must confess that the information i provided wrt the acclaimed DoS
exploit in Debian potato's proftpd package (1.2.0pre10-2.0potato1) was
not fully accurate. the package *does in fact contain a buggy daemon*
despite having been fixed, according to the changelog:
proftpd
dear bugtraq'ers,
i must confess that the information i provided wrt the acclaimed DoS
exploit in Debian potato's proftpd package (1.2.0pre10-2.0potato1) was
not fully accurate. the package *does in fact contain a buggy daemon*
despite having been fixed, according to the changelog:
proftpd
On Wed, Mar 27, 2002 at 12:37:59AM +0100, martin f krafft wrote:
also sprach Joe Dollard [EMAIL PROTECTED] [2002.03.25.2114 +0100]:
Hi,
The version of proftp that is in debian potato (1.2.0pre10 as
reported by running 'proftpd -v ') is vulnerable to a glob DoS
attack, as
On Wed, 27 Mar 2002 00:37:59 +0100
martin f krafft [EMAIL PROTECTED] wrote:
[...]
(please fix your line wraps!)
security.debian.org has proftpd_1.2.0pre10-2.0potato1 which does not
contain this bug, at least not on i386 systems:
fishbowl:~ ncftp lapse.home.madduck.net
NcFTP 3.1.2
On Wed, Mar 27, 2002 at 12:37:59AM +0100, martin f krafft wrote:
also sprach Joe Dollard [EMAIL PROTECTED] [2002.03.25.2114 +0100]:
Hi,
The version of proftp that is in debian potato (1.2.0pre10 as
reported by running 'proftpd -v ') is vulnerable to a glob DoS
attack, as
On Wed, 27 Mar 2002 00:37:59 +0100
martin f krafft [EMAIL PROTECTED] wrote:
[...]
(please fix your line wraps!)
security.debian.org has proftpd_1.2.0pre10-2.0potato1 which does not
contain this bug, at least not on i386 systems:
fishbowl:~ ncftp lapse.home.madduck.net
NcFTP 3.1.2 (Jan
also sprach Joe Dollard [EMAIL PROTECTED] [2002.03.25.2114 +0100]:
The version of proftp that is in debian potato (1.2.0pre10 as
reported by running 'proftpd -v ') is vulnerable to a glob DoS
attack, as discovered on the 15th March 2001. You can verify this
bug by
19 matches
Mail list logo