PDA

View Full Version : Bug with big security risk - GROUPVFSFILE


darko
12-03-2004, 08:32 PM
Every one can execute for example:
site change AnyGrp GROUPVSFILE ..\etc\admin.vfs

although in .ini its being disallowed:


[Change-Permissions]
groupvfsfile = M


Example logged in as normal user (no +M flag):

[code]
[R] (02:15:54) SITE CHANGE AnyGrp GROUPVFSFILE ..\etc\admin.vfs
[R] (02:15:55) 200 CHANGE Command successful.
[R] (02:16:15) CWD .


This is pretty bad :<

Mouton
12-04-2004, 03:01 AM
[02:58:12] [R] site user
[02:58:12] [R] 200-.--------------------------------[User Info]----------------------------------.
[02:58:12] [R] 200-| |
[02:58:12] [R] 200-| Login: Zazzle Group: Dolls |
[02:58:12] [R] 200-| Unfo : Im is cool! Flags: 3 |
...
[02:58:02] [R] site change test groupvfsfile ..\vfs\patate.vfs
[02:58:02] [R] 500 groupvfsfile: Permission denied.


You ini should have [Change_Permissions], not [Change-Permissions]
This is mentioned in the upgrade thread, and probably in other forum posts.
You upgraded your .exe, but didn't change your .ini accordingly... Thus the security breach on your FTP.

EwarWoo
12-04-2004, 03:30 AM
A good reason not to make extreme claims in thread titles.
You just got owned darko and EVERYONE will be reading this thread ;)
Hehe
Feel for ya fella

darko
12-04-2004, 10:36 PM
Originally posted by EwarWoo
A good reason not to make extreme claims in thread titles.
You just got owned darko and EVERYONE will be reading this thread ;)
Hehe
Feel for ya fella

hehe. not really.

It was an old bug i thought it didnt get fixed (http://www.ioftpd.com/board/showthread.php?s=&threadid=1000&highlight=GROUPVFSFILE)

It did obviously

sorry

thnx Mouton for pointing it out.