Go Back   FlashFXP Forums > > > >
Bug with big security risk - GROUPVFSFILE Bug with big security risk - GROUPVFSFILE
Tickets Today's Posts Search

ioFTPD General New releases, comments, questions regarding the latest version of ioFTPD.

 
 
Thread Tools Rate Thread Display Modes
Prev Previous Post   Next Post Next
Old 12-03-2004, 08:32 PM   #1
darko
Member
FlashFXP Registered User
ioFTPD Foundation User
 
Join Date: May 2004
Posts: 74
Default Bug with big security risk - GROUPVFSFILE
Every one can execute for example:
site change AnyGrp GROUPVSFILE ..\etc\admin.vfs

although in .ini its being disallowed:

Code:
[Change-Permissions]
groupvfsfile = M
Example logged in as normal user (no +M flag):

[code]
[R] (02:15:54) SITE CHANGE AnyGrp GROUPVFSFILE ..\etc\admin.vfs
[R] (02:15:55) 200 CHANGE Command successful.
[R] (02:16:15) CWD .


This is pretty bad :<
darko is offline   Reply With Quote
 

Tags
anygrp, change, etcadmin.vfs, groupvfsfile, [r]

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 01:38 PM.
Archive - Privacy Statement - Top
Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)