vsftpd: problem in deny_hosts (CVE-2015-1419)
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
Set the option “deny_file” in /etc/vsftpd.conf on a top-directory (for example “deny_file=/home/*”). Then log in with ftp and try to cd to “/home/” first, which will fail, then try to cd to “/./home/” which will succeed! The latter case shouldn’t be possible as well!
References:
http://seclists.org/oss-sec/2015/q1/389
https://bugzilla.novell.com/show\_bug.cgi?id=915522
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00023.html
http://lists.opensuse.org/opensuse-updates/2015-01/msg00041.html
http://secunia.com/advisories/62415
(from redmine: issue id 3905, created on 2015-02-04, closed on 2015-03-16)
- Relations:
- child #3906 (closed)
- child #3907 (closed)
- child #3908 (closed)
- child #3909 (closed)