OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Glftpd privpath bugs... +fix
From: Raymond Dijkxhoorn (raymondTHRIJSWIJK.NL)
Date: Mon Jun 26 2000 - 03:54:25 CDT

Hi!

Glftpd 1.18 till 1.21b8 (current beta) have a serious problem with the
privpath directives....

It will probably be fixed in the comming 1.21b9 but i have included a
quick fix in this one to prevent exploits of this bug. Thanx for Hoopy for
the quick fix (glftpd dev team).

Problem:

When you know the private dir names on a site, or groupdirs you can ust
'try' to get in .. and its very easy. If you know the name of groupdir you
can simply change into it using the completion function on glftpd.

If you have a private dir / group dir:

For example....

/Groups/Mygroup and you have a dir named 'test' there.

you can simply jump to it by typing 'chdir /Groups/Mygroup/t
glftpd does not check if you have the proper rights to see the dir, it
just hops in there without any problem. So if you try a-9 on the dirnames
you can see all stuff inside a private dir,, takes some time, but with a
nice script its not that hard... ;-)

Fix:

Put in the attached fix, instructions are also inside the .c file.
It wil ONLY exploiting of the bug on glftpd 1.20 and above, so if you're
running <<1.20 then upgrade to the latest version. I'll post a short note
when the fixed binary is out also....

In the glftpd.conf: cscript cwd pre /bin/leakfix

Bye,
Raymond Dijkxhoorn.