Date: Tue, 6 Mar 2001 09:24:20 +0200 From: Peter Pentchev <roam@orbitel.bg> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Adam <bsdx@looksharp.net>, "Riley J. McIntire" <rjmcintire@earthlink.net>, "Aaron D.Gifford" <agifford@infowest.com>, freebsd-security@FreeBSD.ORG Subject: Re: ftp access Message-ID: <20010306092420.A17428@ringworld.oblivion.bg> In-Reply-To: <xzp4rx71u1j.fsf@flood.ping.uio.no>; from des@ofug.org on Tue, Mar 06, 2001 at 03:59:52AM %2B0100 References: <Pine.BSF.4.33.0103052126390.13417-100000@turtle.looksharp.net> <xzp4rx71u1j.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 06, 2001 at 03:59:52AM +0100, Dag-Erling Smorgrav wrote: > Adam <bsdx@looksharp.net> writes: > > What happens if they have a valid ftp account, login, and run !sh ? > > They get a shell on the box they're FTPing from. ..which happens to be the box they logged in *to*, since /usr/bin/ftp is effectively their login shell. Yes, that's bad. G'luck, Peter -- I've heard that this sentence is a rumor. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010306092420.A17428>