[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : wuarchive ftpd Vulnerability

Title: wuarchive ftpd Vulnerability
Released by: CERT
Date: 9th April 1993
Printable version: Click here

Hash: SHA1



Last Revised: September 19,1997

                Attached copyright statement

                                CERT Advisory

                                April 9, 1993

                         wuarchive ftpd Vulnerability

- ---------------------------------------------------------------------------

The CERT Coordination Center has received information concerning a

vulnerability in versions of wuarchive ftpd available before April 8,

1993.  Vulnerable wuarchive ftpd versions were available from

wuarchive.wustl.edu:/packages/ftpd.wuarchive.shar and many other

anonymous FTP sites.

We strongly recommend that any site using versions of wuarchive ftpd 

dating prior to April 8, 1993, immediately take corrective action or 

remove this service.

- ---------------------------------------------------------------------------

I.   Description

     A vulnerability exists in the access control mechanism in this 

     version of ftpd.


II.  Impact

     Anyone (remote or local) can potentially gain access to any 

     account including root on a host running this version of ftpd.

III. Solution 

     Affected sites may choose to disable anonymous FTP service until

     they have corrected this problem.


     Affected sites can correct this problem through one of the

     following two procedures:

     A. A new version of ftpd has been released that provides new features

        and also fixes this security problem.  Sites can obtain this new 

        version via anonymous FTP from wuarchive.wustl.edu ( 

        The files are located in:

                                                      Size      Checksum

        /packages/wuarchive-ftpd/wu-ftpd-2.0.shar    421953      08786

        /packages/wuarchive-ftpd/wu-ftpd-2.0.tar     491520      27466

     B. Make modifications to your existing wuarchive ftpd sources using

        the diff output provided below, recompile and install according to 

        the instructions provided. 

*** ftpd.c.orig

- --- ftpd.c


*** 413,418 ****

- --- 413,420 ----




+       anonymous = 0;


        if (!strcasecmp(name, "ftp") || !strcasecmp(name, "anonymous")) {

                if (checkuser("ftp") || checkuser("anonymous")) {

                        reply(530, "User %s access denied.", name);

- ---------------------------------------------------------------------------

The CERT Coordination Center wishes to thank Scott Paisley, Computer Systems 

Support Manager, Factory Automated Systems Division, N.I.S.T., for informing 

us of this vulnerability.  We would also like to thank Chris Myers, Washington

University, for his quick response to this problem.

- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in FIRST (Forum of Incident

Response and Security Teams).

Internet E-mail: cert@cert.org

Telephone: 412-268-7090 (24-hour hotline)

           CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),

           on call for emergencies during other hours.

CERT Coordination Center

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890

Past advisories, information about FIRST representatives, and other

information related to computer security are available for anonymous FTP

from cert.org (

- ------------------------------------------------------------------------------

Copyright 1993 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.


Revision History:

September 19,1997  Attached Copyright Statement


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.