Just some thoughts in the back of muh head
andrewr
Michael Brennen wrote:
>
> After looking further into the wu-ftpd bug I reported last week, I
> realized that many sites may not be vulnerable to the bug that I reported.
>
> In retrospect I realized that I had recently added the /./ to the end of
> the anonymous ftp path in /etc/passwd while rearranging the ftp user. I
> certainly had no idea that it would break the upload directive code and
> found it quite by accident. The code does not expect /./ at the end of
> the anonymous ftp path and does not behave correctly if it exists.
>
> The argument could be made that the /./ should never [need to] be on the
> anonymous ftp path since it is always chrooted. Given the unexpected
> consequences of placing it there, and that adding the patch does not alter
> functionality if /./ is not there, I would argue that the source change
> should be made in the eventuality that someone puts /./ on their anon ftp
> path.
>
> anonymous is a chrooted account, and it would be easy to think you needed
> the /./. If /./ is added, it unexpectedly changes the behaviour of the
> daemon for the worse. That hole should be closed.
>
> A better patch against the original source is below; reverse the first
> before applying this one.
>
> -- Michael
>