Discussion:
[Proftpd-user] Bug 4169
Mark Moseley
2016-12-07 22:12:04 UTC
Permalink
http://bugs.proftpd.org/show_bug.cgi?id=4169

We're investigating this and it still seems like it's exploitable on
1.3.6rc2. I just ran through the same steps in the above link on a freshly
rolled 1.3.6rc2 and it copied /etc/passwd to /tmp/passwd.copy

Looking at the git commits, the entry that says it fixes 4169 doesn't have
any code that seems to be related (there's a single mod_sftp patch).
TJ Saunders
2016-12-17 15:03:17 UTC
Permalink
Post by Mark Moseley
http://bugs.proftpd.org/show_bug.cgi?id=4169
We're investigating this and it still seems like it's exploitable on
1.3.6rc2. I just ran through the same steps in the above link on a
freshly rolled 1.3.6rc2 and it copied /etc/passwd to /tmp/passwd.copy
Looking at the git commits, the entry that says it fixes 4169 doesn't
have any code that seems to be related (there's a single mod_sftp patch).
Could you provide the exact steps/sequence of commands you are using to
build, install, and test this? As using the steps in the bug report
with proftpd-1.3.6rc2 locally, and using the regression tests for this
issue, I cannot reproduce the behavior.

As for the git commits, the related code/fix is the addition of checks
for whether the client has authenticated, i.e.:

authenticated = get_param_ptr(cmd->server->conf, "authenticated",
FALSE);
if (authenticated == NULL ||
*authenticated == FALSE) {

Cheers,
TJ

Loading...