Date: Tue, 3 Feb 2015 15:56:47 +0100 From: Moritz Muehlenhoff <jmm@...ian.org> To: oss-security@...ts.openwall.com Cc: scarybeasts@...il.com Subject: Re: vsftpd problem in deny_hosts On Tue, Feb 03, 2015 at 12:45:24PM +0300, Solar Designer wrote: > On Tue, Feb 03, 2015 at 09:28:36AM +0100, Marcus Meissner wrote: > > IBM reported to us a problem in vsftpd deny_hosts problem. > > > > CVE-2015-1419 > > > > https://bugzilla.novell.com/show_bug.cgi?id=915522 > > > > Description; > > Set the option "deny_file" in /etc/vsftpd.conf on a top-directory (for example "deny_file=/home/*") > > Then log in with ftp and try to cd to "/home/" first, which will fail, then try to cd to "/./home/" which will succeed! > > The latter case shouldn't be possible as well! > > What does upstream say about this? (CC'ing.) At least the man page states the deny_file is not a full-blown security measure: | This option is very simple, and should not be used for serious | access control - the filesystem's permissions should be used in preference. Cheers, Moritz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ