[VIM] FileZilla DoS issues - questions, answers, more questions
Ferdy Riphagen
f.riphagen at nsec.nl
Sat Dec 16 08:55:30 EST 2006
Steven M. Christey wrote:
> 7) The best changes are here:
>
> http://filezilla.cvs.sourceforge.net/filezilla/FileZilla%20Server/source/ControlSocket.cpp?r1=1.129&r2=1.130
>
> http://filezilla.cvs.sourceforge.net/filezilla/FileZilla%20Server/source/ControlSocket.cpp?r1=1.129&r2=1.130
>
> You can see how it's resetting a ".pasv" value, and in some places
> also calls CPermissions::DestroyDirlisting and a break if there's no
> socket... which it didn't do previously. Lines 1054, 1767 emphasize
> this. Each of these changes occur within a check for
> "(!m_transferstatus.socket)". Before this code was inserted, a null
> dereference probably would have happened in the next few lines of
> code, since m_transferstatus.socket is assumed to be non-null.
>
> This is the kind of behavior you'd expect from a malformed PORT
> command, because no socket would be created.
>
>
Steve I think you hit it right there.....
This will *NOT* throw an exception
PASV
PORT 127,0,0,1,55,10
STOR & (or NLST & or LIST &)
Changing PORT to example:
"PORT 127,0,0,1,55" (PORT < 5) or
"PORT ,,,,,," or 127,0,0,1,260,10" (PORT > 65535)
will all generate an exception with the added STOR/NLST and LIST
--Ferdy--
More information about the VIM
mailing list