Date: 26/09/2005
Topic: unsecure use of popen() in wzdftpd <= 0.5.4
Systems affected: wzdftpd 0.5.4 and prior
wzdftpd-cvs: source prior to September 26, 2005
Platforms: all
Severity: high to critical (remote exploitation possible)
Description:
wzdftpd offers the possibility to extend site commands by adding
custom site commands in configuration file. Some of these commands may
be executed using the popen() function, without the necessary checks.
This can be exploited by a remote attacker to execute commands as
the user running wzdftpd on the server, usually user 'ftp' but it can
be root on some systems.
The severity is not set to critical since this does not affect the
default configuration, as no custom site command is provided.
Solution:
Temporarily disable any custom site command in the configuration
file (directives: cscript and site_cmd) and patch the server with the
attached patch (or upgrade to the shortcoming 0.5.5 version).
The wzdftpd team.
|
