Bug#626524: proftpd-basic: DefaultAddress 127.0.0.1 not obeyed

Hilmar Preuße hille42 at web.de
Sun May 6 16:19:01 BST 2018 

On 12.05.2011 18:23, Andrei Caraman wrote:

Hi Andrei,

> Package: proftpd-basic
> Version: 1.3.3a-6squeeze1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
https://bugs.debian.org/626524

Please read below.

> After adding the "DefaultAddress 127.0.0.1" in the server config section and
> restarting proftpd-basic, I can see 
> 
> # /etc/init.d/proftpd restart
> Stopping ftp server: proftpd.
> Starting ftp server: proftpd - setting default address to 127.0.0.1
> .
> 
> However, a quick "netstat -tlpe" after that shows 
> 
> # netstat -tlpe
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State   User       Inode       PID/Program name
> tcp        0      0 *:ftp                   *:*                     LISTEN  proftpd    2207704     1739/proftpd: (acce
> 
> and I have confirmed I get the initial username/password dialog when
> connecting from a remote client.
> 
> This has the potential of creating a false sense of security for the
> administrator:  we see the message about setting the default address to
> 127.0.0.1 and we expect no remote client can connect, when in fact anyone
> can.  
> TJ finally clarified:

<snip>
If you are have:

  SocketBindTight on

And proftpd receives a connection for which there is no <VirtualHost>
configured, the client will receive this response

  500 Sorry, no server available to handle request on xxx.xxx.xxx.xxx.

EXCEPT if your proftpd.conf has "DefaultServer on" somewhere. If
DefaultServer IS used, then that <VirtualHost> (or "server config")
section bearing the "DefaultServer on" setting is used to handle that
connection -- that's what the DefaultServer directive is for.

Thus if your "SocketBindTight on" configuration is not causing clients
to receive the "no server available to handle request" when they try to
connect to an unconfigured IP address/port, then it says that your
proftpd.conf is using DefaultServer somewhere.
<snip>

..to clarify, why the 500 error messages are missing. So are we all set?
Can we close that non-bug?

Hilmar
-- 
#206401 http://counter.li.org

More information about the Pkg-proftpd-maintainers mailing list