Date: Fri, 16 Mar 2001 08:12:33 -0500 (EST) From: "Michael Richards" <michael@fastmail.ca> To: freebsd-security@FreeBSD.ORG Cc: bright@wintelcom.net Subject: Re: Multiple vendors FTP denial of service Message-ID: <3AB21141.0000E1.28395@frodo.searchcanada.ca>
next in thread | raw e-mail | index | archive | help
--------------Boundary-00=_XOKA015BHVCNTT4D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Normally when I write code to sanatise a user entered path with glob or .. in it I process the string to remove any directory name succeeded by a '/..' There is of course a problem with this generalised optimisation. /nonexistant/../existant/ succeeds where it shouldn't. However, when you apply it to a glob, it is implied that '*/..' must exist. In this case, I believe it is valid to remove any iteration of '*/..' from the string. This may still, however leave a crafty combination of '?' to cause the same problem. -Michael >> Actually I think this highly depends on HOW MANY files and >> directories FTPD can access. >> >> I didn't see any damage with a jailed FTPD with 1 directoy and 2 >> files. > > The only reason you didn't see a problem was because you had > only one directory. > > The DoS works via a simple mechanism. > > if you have a dir with two directories in it 'a' and 'b' > > */../ -> a/.. b/.. > */../*/.. -> a/../a/.. a/../b/.. b/../a/.. b/../b/.. > > basically for each ../*/ you do a power N where N is the number > of directories. _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_XOKA015BHVCNTT4D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB21141.0000E1.28395>