lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <BAY1-F17xRdgKcGwdgH0000998b@hotmail.com>
From: hughmann at hotmail.com (Hugh Mann)
Subject: Re: How to crash a harddisk - the Ipswitch WS_FTP Server
 way

>From: exon <exon@...e.se>
>This is old news.
>It is also RFC compliant behaviour, even though admitted silly.

You say this is old news. Can you tell me where this WS_FTP server 
vulnerability has been published before? I always search google and BugTraq 
before posting anything to make sure nothing is old news.

Perhaps you mean that some FTP servers have been known to be vulnerable to 
easy creation of arbitrary sized files using REST? So what? How many 
programs have been vulnerable to buffer overflows? I don't hear people 
complaining about buffer overflow vulnerabilities being old news.

Also, I don't think you fully read my advisory. It says that a user who has 
a max total file size limit can create arbitrary sized files. That is, the 
user can create a file much larger than the user is allowed to create.

_________________________________________________________________
All the action. All the drama. Get NCAA hoops coverage at MSN Sports by 
ESPN. http://msn.espn.go.com/index.html?partnersite=espn

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ