[OpenAFS] FTPD vulnerable to glob?
Derrick J Brashear
shadow@dementia.org
Tue, 17 Apr 2001 21:44:33 -0400 (EDT)
On Tue, 17 Apr 2001, Thomas Vincent wrote:
> Hi Everyone,
> I was curious if anyone had verified if the FTPd in the OpenAFS cvs is
> vulnerable to the globbing attack that was identified recently.
>
> I would like to use a AFS aware ftpd server. Does anyone have any other
> recommendations, then the ftp server in the CVS?
Heimdal (ftp://ftp.pdc.kth.se/pub/heimdal) includes an AFS-aware ftpd, and
it can be compiled with Kerberos v4 in addition to the obviously-included
Kerberos v5 functionality; If you don't care about v5, kth-krb
(ftp://ftp.pdc.kth.se/pub/krb) should have one with only v4 and no v5
support which supports AFS.
I don't know if there's been a release since the ftp glob attack; You'd do
well to ask on the appropriate list.
I encourage you to not use, and to *never* use the ftpd, inetd, or rcmd
tools that come with AFS as they are known to be insecure.
-D