OpenPKG Security Advisory
OpenPKG-SA-2004.018
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2004.018 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2004.018 Advisory Published: 2008-10-06 23:09 UTC Issue Id (internal): OpenPKG-SI-20040430.01 Issue First Created: 2004-04-30 Issue Last Modified: 2006-11-28 Issue Revision: 07
Subject Name: ProFTPD Subject Summary: Professional FTP Daemon Subject Home: http://www.proftpd.net/ Subject Versions: * <= 1.2.9 Vulnerability Id: none Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: privilege escalation Description: A portability workaround was applied in version 1.2.9 of the FTP server ProFTPD [1]. As a side-effect, CIDR based (aaa.bbb.ccc.ddd/NN) ACL entries in "Allow" and "Deny" directives act like an "AllowAll" directive and so FTP clients are granted access to files and directories although the server configuration might explicitly deny this [2]. References: [1] http://www.proftpd.org/ [2] http://bugs.proftpd.org/show_bug.cgi?id=2267 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.0/UPD/proftpd-1.2.9-2.0.1.src.rpm [6] ftp://ftp.openpkg.org/release/2.0/UPD/ [7] http://www.openpkg.org/security.html#signature
Primary Package Name: proftpd Primary Package Home: http://openpkg.org/go/package/proftpd Affected Distribution: Affected Branch: Affected Package: OpenPKG Community 1.3-SOLID n/a OpenPKG Community 2.0-SOLID proftpd-1.2.9-2.0.0 OpenPKG Community CURRENT proftpd-1.2.9-20040207 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Community 1.3-SOLID n/a OpenPKG Community 2.0-SOLID proftpd-1.2.9-2.0.1 OpenPKG Community CURRENT proftpd-1.2.10rc1-20040429
