[OpenAFS] FTPD vulnerable to glob?

Derrick J Brashear shadow@dementia.org
Tue, 17 Apr 2001 21:44:33 -0400 (EDT)

On Tue, 17 Apr 2001, Thomas Vincent wrote:

> Hi Everyone,
> I was curious if anyone had verified if the FTPd in the OpenAFS cvs is
> vulnerable to the globbing attack that was identified recently.
> I would like to use a AFS aware ftpd server. Does anyone have any other
> recommendations, then the ftp server in the CVS?

Heimdal (ftp://ftp.pdc.kth.se/pub/heimdal) includes an AFS-aware ftpd, and
it can be compiled with Kerberos v4 in addition to the obviously-included
Kerberos v5 functionality; If you don't care about v5, kth-krb
(ftp://ftp.pdc.kth.se/pub/krb) should have one with only v4 and no v5
support which supports AFS.

I don't know if there's been a release since the ftp glob attack; You'd do
well to ask on the appropriate list.

I encourage you to not use, and to *never* use the ftpd, inetd, or rcmd
tools that come with AFS as they are known to be insecure.