[Wzdftpd-security] wzdftpd security advisory 2005-01

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Date: 26/09/2005

Topic: unsecure use of popen() in wzdftpd <= 0.5.4

Systems affected: wzdftpd 0.5.4 and prior
  wzdftpd-cvs: source prior to September 26, 2005

Platforms: all

Severity: high to critical (remote exploitation possible)

Description:

  wzdftpd offers the possibility to extend site commands by adding
custom site commands in configuration file. Some of these commands may
be executed using the popen() function, without the necessary checks.

  This can be exploited by a remote attacker to execute commands as
the user running wzdftpd on the server, usually user 'ftp' but it can
be root on some systems.

  The severity is not set to critical since this does not affect the
default configuration, as no custom site command is provided.

Solution:

  Temporarily disable any custom site command in the configuration
file (directives: cscript and site_cmd) and patch the server with the
attached patch (or upgrade to the shortcoming 0.5.5 version).

The wzdftpd team.