Gentoo Logo

ProFTPD Access Control List bypass vulnerability

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200405-09 / proftpd
Release Date May 19, 2004
Latest Revision May 19, 2004: 01
Impact high
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-ftp/proftpd = 1.2.9-r1, = 1.2.9 >= 1.2.9-r2 All supported architectures

Related bugreports: #49496

Synopsis

Version 1.2.9 of ProFTPD introduced a vulnerability that causes CIDR-based Access Control Lists (ACLs) to be treated as "AllowAll", thereby allowing remote users full access to files available to the FTP daemon.

2.  Impact Information

Background

ProFTPD is an FTP daemon.

Description

ProFTPD 1.2.9 introduced a vulnerability that allows CIDR-based ACLs (such as 10.0.0.1/24) to be bypassed. The CIDR ACLs are disregarded, with the net effect being similar to an "AllowAll" directive.

Impact

This vulnerability may allow unauthorized files, including critical system files to be downloaded and/or modified, thereby allowing a potential remote compromise of the server.

3.  Resolution Information

Workaround

Users may work around the problem by avoiding use of CIDR-based ACLs.

Resolution

ProFTPD users are encouraged to upgrade to the latest version of the package:

Code Listing 3.1: Resolution

# emerge sync
# emerge -pv ">=net-ftp/proftpd-1.2.9-r2"
# emerge ">=net-ftp/proftpd-1.2.9-r2"

4.  References

Print

Page updated May 19, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.