Quote:
|
Originally Posted by ADDiCT
- i've seen quite a few remote exploits that will either crash the server or allow an attacker to run code, ioFTPD never had any known exploit
|
Just to be picky, I wouldn't consider this a valid point.
Serv-U has a substantially larger user base and is quite well known (obviously
, I hope I havenât lost your attention already). Greater product exposure tends to yield a larger exploit turn over. ioFTPD has had
plenty of possible exploits, but no one took the opportunity to write a proof-of-concept and publish it (to my knowledge anyway). More than likely because ioFTPD is still a beta product and people with the expertise have never heard of ioFTPD. (Count the number of times that
buffer/stack overflow is mentioned in ioFTPD's change-log, though this does not mean all were exploitable.) Nevertheless, we are all beta testers, testing an unfinished product, so it is something we have come to accept.
One thing Serv-U does have is a steady release cycle and quick response to published exploits. Which Iâm sure will change once ioFTPD reaches a final state. There are several possible exploitable situations in the current version of ioFTPD (Beta-5.8.5). However, there are reasonable workarounds.
- Ability to crash the daemon remotely by using the âSITE CHOWN user:groupâ command without the directory argument. By default, this command is only available to administrators, so its threat is minimal. To workaround this issue, the command can be completely restricted so users are unable to access it (chown = !*).
http://www.inicom.net/forum/showthread.php?t=13133
- A specially crafted .ioFTPD file *could* be and dropped in the site directory to achieve local privilege escalation (assuming ioFTPD is running as a privileged user). This could only occur locally, since ioFTPD forbids the uploading of .ioFTPD files. To workaround this issue, run ioFTPD as a unprivileged user and restrict access to your "ioFTPD\site" directory (or similar).
http://www.inicom.net/forum/showthread.php?t=13369
Just my two cents.