|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Przemyslaw Frasunek (venglin
FREEBSD.LUBLIN.PL)Date: Fri Feb 02 2001 - 17:11:49 CST
On Fri, Feb 02, 2001 at 03:04:31PM -0800, Kris Kennaway wrote:
> > BTW. Old BSD derived ftpd is also used in opieftpd and SSLftpd. Both are
> > vulnerable to this attack.
> In case anyone is wondering how old is old:
The same problem persists in heimdal / kerberosIV ftpd implementation:
heimdal/appl/ftp/ftpd/popen.c and kerberosIV/appl/ftp/ftpd/popen.c:
char **pop, *argv[100], *gargv[1000];
/* break up string into pieces */
foo = NULL;
for (argc = 0, cp = program;; cp = NULL) {
if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
break;
}
Both are based on BSD derived ftpd version 6.00.
-- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]