Re: Mandrake 8.1 Desktop Gone

I just wanted to close this out in case any one came along after me
with the same problem with the MS IE 7 hacking the ftp security.

First of all, thank you "Old guy" from another old guy that really
appreciated your guidance.

The mandrake 8.1 distribution included proftpd. I don't know if
it is a flaw in the that sample config file, or in that distributions
proftpd code, or in how I set up the user DefaultRoot, but when
I installed the current proftpd, and migrated the config file
settings
to the new example, the problem of MS IE 7 being able to get to
root went away.

I tried to navigate to root on the old proftpd server using WSFTP,
command line ftp, MS IE 6, and other ftp tools, and only MS IE 7
would access root.

Installing the current proftpd and setting up the config file using
the new sample as a base fixed the problem.

I will continue to advise the customer to upgrade to a more current
linux platform... but I doubt that will happen.

-- Frank



On Mar 28, 3:14 pm, ibupro...@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) wrote:
On 27 Mar 2007, in the Usenet newsgroup alt.os.linux, in article

The FTP daemon is proftpd.

It worked just fine for users on MSIE 6, ws-ftp, etc.
When MSIE 7 came around, after a user logs in, they can
navigate anywhere.

That makes no sense at all. RFC0959 makes no difference in the commands
that a client can use, and in any case predates Internet Exploiter by ten
years.

Based on your reference to chroot, I checked the proftpd.conf
and the users have "DefaultRoot" directories assigned.

That's a usual solution - the capability has been in FTP servers since
the late 1980s.

I now think this must be a proftpd bug.

I honestly don't see how. If you haven't chrooted the FTP server, then
ANY client can give a CDUP command to change to the parent directory. on
up to the top that the server will allow. The FTP protocol has no idea
what client is being used - unlike a web browser, because the protocol is
simple and capabilities simply don't depend on new features the client may
include. (Actually, the FTP protocol can be traced back to RFC0114 in April
1971 - a heck of a long time before microsoft bought QDOS from Seattle
Computer Products to have something to sell to IBM for the 1981 PC.)

Old guy




.

Relevant Pages

  • [OpenPKG-SA-2003.043] OpenPKG Security Advisory (proftpd)
    ... According to an ISS X-Force security advisory, a vulnerability ... when transferring files from the FTP server in ASCII mode. ... and a buffer overflow can manifest if ProFTPD parses a specially ... Select the updated source RPM appropriate for your OpenPKG release ...
    (Bugtraq)
  • [Full-Disclosure] [OpenPKG-SA-2003.043] OpenPKG Security Advisory (proftpd)
    ... According to an ISS X-Force security advisory, a vulnerability ... when transferring files from the FTP server in ASCII mode. ... and a buffer overflow can manifest if ProFTPD parses a specially ... Select the updated source RPM appropriate for your OpenPKG release ...
    (Full-Disclosure)
  • Re: Ftpd
    ... you might want to give proftpd a try... ... > upload files, and create directories where they could upload the files. ... > But they should not remove nor rename any file or directory. ... > ps aux | grep ftp shows: ...
    (freebsd-questions)
  • Re: Secure replacement for FTP (other then SSH)
    ... We run proftpd along with ... mod_tls (Transport Security Layer) to achieve something which is ... On OS X there's Captain FTP which supports this well while on Windows ... can any of the current crop of FTP servers on offer do ...
    (Debian-User)
  • Re: Windows 2003 Server limitation
    ... IIS's FTP, not network connections, not client that dropped data. ... >> Our ftp servers are hit heavily by the our user community. ...
    (microsoft.public.inetserver.iis.ftp)