[ProFTPD Logo] [*] ProFTPD [*]
Highly configurable GPL-licensed FTP server software
Current Versions
Current: 1.2.4 [ gz ] [ bz2 ]
Candidate: 1.2.5rc1 [ gz ] [ bz2 ]

Newsroom

Information

Documentation

Mirrors and downloads

Mailing Lists
Updated: 22/Aug/2001 - hamster
Copyright (C) 1999, 2000-2, The ProFTPD Project.
Critical Bugs

Bug: Security risk in mod_sql/3.2.3
Bugzilla ID: none
Version: Not shipped with Proftpd source
Platforms: All
Severity/Effect: Critical
Fixed in: mod_sql/3.2.4 (shipped with 1.2.2)

Description of problem:

A bug in 3.2.3 has resulted in only usernames being checked, not passwords it is recommended that anyone running mod_sql/3.2.3 upgrades immediately. This version of mod_sql was not shipped with the official source releases and therefore only administrators who have manually updated mod_sql will be affected.

Bug: glob() DoS attack
Bugzilla ID: 1066
Version: 1.2.1 and earlier
Platforms: All
Severity/Effect: Critical
Fixed in: 1.2.2rc1

Reported on BUGTRAQ on the 15th of March by Frank DENIS (Jedi/Sector One).

Official response from the development team.

Problem commands:

ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
ls */.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/*/.*/
ls .*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/.*./*?/

Other commands of this style may also cause the same behavior; the exact commands listed here are not necessary to trigger.

Effect:

The daemon process starts to consume all CPU and memory resources available to it. Multiple simultaneous instances will result in faster depletion of resources, causing either the daemon process or the server to crash.

Fix / Workaround:

A fixed version of GNU glob is used in ProFTPD 1.2.2rc1 and later.

As a temporary workaround in lieu of using an updated version of ProFTPD, we recommend adding the following directive in the <Global> context which should catch most variants of this problem.

DenyFilter \*.*/

We also recommend that the daemon process is started with appropriate ulimits set to control the system resources that can be utilized by ProFTPD processes. This should help in maintaining a viable server regardless attacks being made. The development team is looking into modifying ProFTPD to provide native ulimit functionality.

Summary:

This issue has been remedied in ProFTPD 1.2.2rc1.

Additionally, the administrators of ftp.proftpd.org would like to thank Frank Denis for testing his theory about the vunerability by launching a denial of service attack against that server, causing it to become unavailable for a period of time.