Bug with big security risk - GROUPVFSFILE

darko · 12-03-2004, 08:32 PM

Every one can execute for example:
site change AnyGrp GROUPVSFILE ..\etc\admin.vfs

although in .ini its being disallowed:

Code:

[Change-Permissions]
groupvfsfile = M

Example logged in as normal user (no +M flag):

[code]
[R] (02:15:54) SITE CHANGE AnyGrp GROUPVFSFILE ..\etc\admin.vfs
[R] (02:15:55) 200 CHANGE Command successful.
[R] (02:16:15) CWD .

This is pretty bad :<

Mouton · 12-04-2004, 03:01 AM

Code:

[02:58:12] [R] site user
[02:58:12] [R] 200-.--------------------------------[User Info]----------------------------------.
[02:58:12] [R] 200-|                                                                             |
[02:58:12] [R] 200-| Login: Zazzle                         Group: Dolls                          |
[02:58:12] [R] 200-| Unfo : Im is cool!                    Flags: 3                              |
...
[02:58:02] [R] site change test groupvfsfile ..\vfs\patate.vfs
[02:58:02] [R] 500 groupvfsfile: Permission denied.

You ini should have [Change_Permissions], not [Change-Permissions]
This is mentioned in the upgrade thread, and probably in other forum posts.
You upgraded your .exe, but didn't change your .ini accordingly... Thus the security breach on your FTP.

EwarWoo · 12-04-2004, 03:30 AM

A good reason not to make extreme claims in thread titles.
You just got owned darko and EVERYONE will be reading this thread

Hehe
Feel for ya fella

darko · 12-04-2004, 10:36 PM

Quote:

Originally posted by EwarWoo
A good reason not to make extreme claims in thread titles.
You just got owned darko and EVERYONE will be reading this thread
Hehe
Feel for ya fella

hehe. not really.

It was an old bug i thought it didnt get fixed (http://www.ioftpd.com/board/showthre...t=GROUPVFSFILE)

It did obviously

sorry

thnx Mouton for pointing it out.