Gentoo Logo

ProFTPD Access Control List bypass vulnerability


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200405-09 / proftpd
Release Date May 19, 2004
Latest Revision May 19, 2004: 01
Impact high
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-ftp/proftpd = 1.2.9-r1, = 1.2.9 >= 1.2.9-r2 All supported architectures

Related bugreports: #49496


Version 1.2.9 of ProFTPD introduced a vulnerability that causes CIDR-based Access Control Lists (ACLs) to be treated as "AllowAll", thereby allowing remote users full access to files available to the FTP daemon.

2.  Impact Information


ProFTPD is an FTP daemon.


ProFTPD 1.2.9 introduced a vulnerability that allows CIDR-based ACLs (such as to be bypassed. The CIDR ACLs are disregarded, with the net effect being similar to an "AllowAll" directive.


This vulnerability may allow unauthorized files, including critical system files to be downloaded and/or modified, thereby allowing a potential remote compromise of the server.

3.  Resolution Information


Users may work around the problem by avoiding use of CIDR-based ACLs.


ProFTPD users are encouraged to upgrade to the latest version of the package:

Code Listing 3.1: Resolution

# emerge sync
# emerge -pv ">=net-ftp/proftpd-1.2.9-r2"
# emerge ">=net-ftp/proftpd-1.2.9-r2"

4.  References


Page updated May 19, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.