Go Back   FlashFXP Forums > > > >

ADDiCT's scripts sitewho.exe, ioGroups, ioGui, ioLimitTransfers, ioSecureAdduser

Reply
 
Thread Tools Rate Thread Display Modes
Old 05-14-2005, 08:09 AM   #1
odd
Senior Member
ioFTPD Registered User
 
Join Date: Sep 2003
Posts: 273
Default Site command, not able to restric

Just found one thing that is a kinda security issue.

Im useing ioGroups and have overide site command "SITE USERS" from ioFTPD default to ioGroups. I was playing around with an anonymous account and found out that ANY one can use "SITE USERS"

Ive trippled checked my ioFTPD.ini to see if anything is wrong but cant find nothing. Here is what my ioFTPD.ini contains:

Code:
[FTP_Pre-Command_Events]
site 		= EXEC ..\scripts\iogroups\ioGroups.exe override_site_users

[FTP_Custom_Commands]
lusers    		= EXEC ..\scripts\iogroups\ioGroups.exe listusers

[FTP_SITE_Permissions]
users		= 1GM
Code:
Admin 		= flags 1M
Simple User 	= flags 3Ff
Anonymous 	= flags 3A
Everyone of abow can use "SITE USERS"
Can someone confirm this as I get the same on two ftpds.
odd is offline   Reply With Quote
Old 05-14-2005, 08:37 AM   #2
esmandil
Senior Member
FlashFXP Registered User
ioFTPD Foundation User
 
Join Date: Oct 2004
Posts: 107
Default

Well, it is working OK for me... i.e., normal users CAN NOT use "site users", they get "permission denied".

No idea what may be wrong in your config.
esmandil is offline   Reply With Quote
Old 05-14-2005, 02:11 PM   #3
odd
Senior Member
ioFTPD Registered User
 
Join Date: Sep 2003
Posts: 273
Default

If I disable
Code:
[FTP_Pre-Command_Events]
site 		= EXEC ..\scripts\iogroups\ioGroups.exe override_site_users
I get following when trying:

Code:
[R] site users
[R] 550 'SITE users': Access denied.
Very weird.
odd is offline   Reply With Quote
Old 05-16-2005, 07:32 AM   #4
esmandil
Senior Member
FlashFXP Registered User
ioFTPD Foundation User
 
Join Date: Oct 2004
Posts: 107
Default

What's weird about it?

I would assume "override_site_users" does what it says
esmandil is offline   Reply With Quote
Old 05-16-2005, 07:59 AM   #5
odd
Senior Member
ioFTPD Registered User
 
Join Date: Sep 2003
Posts: 273
Default

Whats weird is that WHEN I use override_users, everybody can access "SITE USERS" while not usesing override_users only 1M flags can access "SITE USERS"
odd is offline   Reply With Quote
Old 05-16-2005, 08:07 AM   #6
ADDiCT
Senior Member
FlashFXP Beta Tester
ioFTPD Scripter
 
Join Date: Aug 2003
Posts: 517
Default

Apparently, i was already fixing that about a year ago:
Code:
[FTP_Pre-Command_Events]
site = EXEC ..\scripts\ioGroups.exe override_internal

override_uinfo        = 1
flags_restrict_uinfo  = 1M

override_users        = 1
flags_restrict_users  = 1M

override_groups       = 1
flags_restrict_groups = 1M
but i think it was still unfinished or in beta status or something. I will look into it after my exams (end of june), and that's a promise I'll try to keep
(might post something here to remind me at the time)
ADDiCT is offline   Reply With Quote
Reply

Tags
anonymous, exec, flags, site, users


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
GuildFTPd command set (import) Jesper Custom Commands 4 07-29-2011 12:41 AM


All times are GMT -5. The time now is 11:14 AM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)