Vigil@nce - vsftpd: bypassing deny_hosts
February 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can bypass the deny_hosts directive of vsftpd, in
order to access to forbidden files.
Impacted products: openSUSE, SUSE Linux Enterprise Desktop, SLES,
vsftpd
Severity: 2/4
Creation date: 03/02/2015
DESCRIPTION OF THE VULNERABILITY
The deny_file directive of the vsftpd.conf file is used to
restrict the access to a file. For example "deny_file=/home/*".
However, using for example the syntax "/./home/", an attacker can
access to files located under "/home".
An attacker can therefore bypass the deny_hosts directive of
vsftpd, in order to access to forbidden files.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/vsftpd-bypassing-deny-hosts-16099