<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="200405-09"> <title>ProFTPD Access Control List bypass vulnerability</title> <synopsis> Version 1.2.9 of ProFTPD introduced a vulnerability that causes CIDR-based Access Control Lists (ACLs) to be treated as "AllowAll", thereby allowing remote users full access to files available to the FTP daemon. </synopsis> <product type="ebuild">proftpd</product> <announced>2004-05-19</announced> <revised count="01">2004-05-19</revised> <bug>49496</bug> <access>remote </access> <affected> <package name="net-ftp/proftpd" auto="yes" arch="*"> <unaffected range="ge">1.2.9-r2</unaffected> <vulnerable range="eq">1.2.9-r1</vulnerable> <vulnerable range="eq">1.2.9</vulnerable> </package> </affected> <background> <p> ProFTPD is an FTP daemon. </p> </background> <description> <p> ProFTPD 1.2.9 introduced a vulnerability that allows CIDR-based ACLs (such as 10.0.0.1/24) to be bypassed. The CIDR ACLs are disregarded, with the net effect being similar to an "AllowAll" directive. </p> </description> <impact type="high"> <p> This vulnerability may allow unauthorized files, including critical system files to be downloaded and/or modified, thereby allowing a potential remote compromise of the server. </p> </impact> <workaround> <p> Users may work around the problem by avoiding use of CIDR-based ACLs. </p> </workaround> <resolution> <p> ProFTPD users are encouraged to upgrade to the latest version of the package: </p> <code> # emerge sync # emerge -pv ">=net-ftp/proftpd-1.2.9-r2" # emerge ">=net-ftp/proftpd-1.2.9-r2"</code> </resolution> <references> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0432">CAN-2004-0432</uri> </references> <metadata tag="submitter"> klieber </metadata> </glsa>