Hi there:
The follwoing scenario describes a potential security hole in ProFTPD, let me know if I'm wrong.

I've managed to connect to my ftp server behind a NAT. Connecting to the ftp server public ip manualy from a linux box works like a charm and the server jails me into the dir it suppose to, but when connecting using Dreamweaver I can see the entire server hd and actually modify some sensitive files, even though I connect using a nonroot account.
For the time being I've closed the ports untill I find a more secure way of ftping.

Any solutions? I could post my config and the Dreamwever ftp log output.

Cheers

Ditch FTP in favour of SFTP or SCP, or even Rsync over SSH?
Any info (wrt reproducing) should go to the respective owners' security contacts or dev mailinglists IMHO, unless someone here has a setup with ProFTP and Dreamweaver and wants to try.

Wow.. that would be insane..

I'll try it when I get back from work and post my results.

Hi there:
Of course I'm planing to move into some sort of SFTP or SCP, but you have to "build the foundation before you build the house" (lended from someone).

Here you go:
U
sing ProFtpd 1.2.9
ProFTPD Server configuration

ServerName "ProFTPD"
ServerType standalone
DefaultServer on
AllowStoreRestart on
Port 21
Umask 022 022
MaxInstances 30
User ftp
Group ftp
DefaultRoot ~
DefaultTransferMode binary
UseFtpUsers on
#DefaultRoot /var/ftp
<Directory />
AllowOverwrite on
GroupOwner ftp
</Directory>

<Limit LOGIN>
Order Allow,Deny
Allow from 192.168.2.
Deny from All
</Limit>

<Directory /pub>
<Limit WRITE>
AllowAll
</Limit>
<Limit DELE>
AllowAll
</Limit>
</Directory>
# A basic anonymous configuration, no upload directories.
<Anonymous ~ftp>
User ftp
Group ftp
UserAlias anonymous ftp
MaxClients 10
AllowStoreRestart off
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
PersistentPasswd off
DefaultRoot /home/public_html public_html
SystemLog /var/log/proftpd.log
#TransferLog /var/log/xferlog

<VirtualHost 192.168.2.XXX>
ServerName "LAN FTP"
ServerAdmin "bullshit@hell.com"
Port 2002
MasqueradeAddress XXX.XXX.XXX.XXX
PassivePorts XXXXX XXXXX
AllowForeignAddress on
User ftp
Group ftp
DefaultChdir ~
Umask 022
AllowStoreRestart on
AllowOverWrite on
<Global>
<Limit WRITE SITE_CHMOD MKD DELE RMD STOR>
AllowAll
</Limit>
AllowOverride On
</Global>
</VirtualHost>



Dreamweaver nightmare FTP log

Using port XXXX
< 220 ProFTPD 1.2.9 Server (LAN FTP) [xxx.xxx.xxx.xxx]
> USER bullshit
< 331 Password required for bullshit.
> PASS
< 230 User bullshit logged in.
> PWD
< 257 "/home/bullshit" is current directory.
> PWD
< 257 "/home/bullshit" is current directory.

> CWD /home/bullshit
< 250 CWD command successful.
> MKD MM_CASETEST4291
< 257 "/home/bullshit/MM_CASETEST4291" - Directory successfully created
> CWD /home/bullshit
< 250 CWD command successful.
> RMD MM_CASETEST4291
< 250 RMD command successful
> CWD /
< 250 CWD command successful.
> PWD
< 257 "/" is current directory.

> CWD /
< 250 CWD command successful.
> PASV
< 227 Entering Passive Mode (XXX,XXX,XXX,XXX,XXX,XXX).
> TYPE A
< 200 Type set to A
> LIST
< 150 Opening ASCII mode data connection for file list
< drwxr-x--x 2 root adm 4096 Mar 13 19:46 bin
< drwx--x--- 3 root ctools 4096 Jul 12 08:05 boot
< drwx--x--x 24 root root 94208 Jul 12 08:04 dev
< drwx--x--x 70 root adm 4096 Jul 12 09:03 etc
< drwx--x--x 10 root adm 4096 Jul 10 10:05 home
< drwxr-xr-x 11 root root 1024 Mar 13 20:08 initrd
< drwxr-x--x 13 root adm 4096 Jul 12 08:04 lib
< drwx------ 2 root root 4096 Mar 14 20:59 lost+found
< drwxr-x--- 6 root adm 4096 Jan 5 2004 mnt
< drwxr-xr-x 2 root root 4096 Jan 5 2004 opt
< dr-xr-x--- 117 root adm 0 Jul 12 08:04 proc
< drwx------ 30 root root 4096 Jul 12 08:08 root
< drwxr-x--x 2 root adm 4096 May 19 07:22 sbin
< drwxr-xr-x 9 root root 0 Jul 12 08:04 sys
< drwxrwx-wt 26 root adm 4096 Jul 12 08:08 tmp
< drwxr-x--x 12 root adm 4096 Mar 13 21:30 usr
< drwxr-xr-x 22 root root 4096 Apr 13 10:04 var
< 226 Transfer complete.
< 220 ProFTPD 1.2.9 Server (LAN FTP) [xxx.xxx.xxx.xxx]
> USER jorge
< 331 Password required for bullshit.
> PASS
< 230 User bullshit logged in.
> PWD
< 257 "/home/bullshit" is current directory.
> CWD //dev
< 250 CWD command successful.
> PWD
< 257 "/dev" is current directory.

> CWD /dev
< 250 CWD command successful.
> PASV
< 227 Entering Passive Mode (XXX,XXX,XXX,XXX,XXX,XXX).
> TYPE A
< 200 Type set to A
> LIST
< 150 Opening ASCII mode data connection for file list
< 226 Transfer complete.
> CWD //bin
< 250 CWD command successful.
> PWD
< 257 "/bin" is current directory.

> CWD /bin
< 250 CWD command successful.
> PASV
< 227 Entering Passive Mode (XXX,XXX,XXX,XXX,XXX,XXX).
> TYPE A
< 200 Type set to A
> LIST
< 150 Opening ASCII mode data connection for file list
< -rwxr-xr-x 1 root root 2708 Jan 30 13:40 arch
< lrwxrwxrwx 1 root root 4 Mar 13 19:29 awk -> gawk
< -rwxr-xr-x 1 root root 12792 Jan 26 18:38 basename
< -rwxr-xr-x 1 root root 641036 Jan 5 2004 bash
< lrwxrwxrwx 1 root root 4 Mar 13 19:29 bash2 -> bash
< -rwxr-xr-x 1 root root 16600 Jan 26 18:38 cat
< -rwxr-xr-x 1 root root 34476 Jan 26 18:38 chgrp
< -rwxr-xr-x 1 root root 34476 Jan 26 18:38 chmod
< -rwxr-xr-x 1 root root 36556 Jan 26 18:38 chown
< -rwxr-xr-x 1 root root 42968 Sep 22 2003 consolechars
< -rwxr-xr-x 1 root root 50924 Jan 26 18:38 cp
< -rwxr-xr-x 1 root root 52524 Jul 22 2003 cpio
< lrwxrwxrwx 1 root root 4 Mar 13 19:39 csh -> tcsh
< -rwxr-xr-x 1 root root 27256 Jan 26 18:38 cut
< -rwxr-xr-x 1 root root 46712 Jan 26 18:38 date
< -rwxr-xr-x 1 root root 28236 Jan 26 18:38 dd
< -rwxr-xr-x 1 root root 34476 Jan 26 18:38 df
< -rwxr-xr-x 1 root root 4124 Jan 30 13:40 dmesg
< lrwxrwxrwx 1 root root 8 Mar 13 19:30 dnsdomainname -> hostname
< -rwxr-xr-x 1 root root 2580 Mar 2 16:55 doexec
< lrwxrwxrwx 1 root root 8 Mar 13 19:30 domainname -> hostname
< -rwxr-xr-x 1 root root 13912 Jan 26 18:38 echo
< -rwxr-xr-x 1 root root 42776 Jul 22 2003 ed
< -rwxr-xr-x 1 root root 33 Jan 3 2004 egrep
< -rwxr-xr-x 1 root root 13880 Jan 26 18:38 env
< lrwxrwxrwx 1 root root 20 Mar 13 19:31 ex -> /etc/alternatives/ex
< -rwxr-xr-x 1 root root 11768 Jan 26 18:38 false
< -rwxr-xr-x 1 root root 824408 Feb 24 19:20 fbmngplay.static
< -rwxr-xr-x 1 root root 3960 Feb 24 19:20 fbresolution
< -rwxr-xr-x 1 root root 821112 Feb 24 19:20 fbtruetype.static
< -rwxr-xr-x 1 root root 33 Jan 3 2004 fgrep
< -rwxr-xr-x 1 root root 52876 Jan 29 17:18 find
< -rwxr-xr-x 1 root root 254360 Dec 14 2003 gawk
< lrwxrwxrwx 1 root root 4 Mar 13 19:29 gawk-3.1.2 -> gawk
< -rwxr-xr-x 1 root root 9128 Jan 10 2004 gettext
< -rwxr-xr-x 1 root root 75596 Jan 3 2004 grep
< lrwxrwxrwx 1 root root 3 Mar 13 19:30 gtar -> tar
< -rwxr-xr-x 3 root root 49628 Jun 16 2003 gunzip
< -rwxr-xr-x 3 root root 49628 Jun 16 2003 gzip
< -rwxr-xr-x 1 root root 9700 Jul 23 2003 hostname
< -rwxr-xr-x 1 root root 16056 Jan 26 18:38 id
< -rwxr-xr-x 1 root root 3089 Dec 14 2003 igawk
< -rwxr-xr-x 1 root root 27028 Mar 2 16:55 ipcalc
< -rwxr-xr-x 1 root root 22064 Jul 28 2003 ipv6calc
< -rwxr-xr-x 1 root root 8056 Jan 30 13:40 kill
< -rwxr-xr-x 1 root root 12632 Jan 26 18:38 link
< -rwxr-xr-x 1 root root 23576 Jan 26 18:38 ln
< -rwxr-xr-x 1 root root 77624 Sep 22 2003 loadkeys
< -rwxr-xr-x 1 root root 19768 Jan 30 13:40 login
< -rwxr-xr-x 1 root root 82060 Jan 26 18:38 ls
< -rwxr-xr-x 1 root mail 81496 Jul 21 2003 mail
< -rwxr-xr-x 1 root root 22104 Jan 26 18:38 mkdir
< -rwxr-xr-x 1 root root 20332 Jan 26 18:38 mknod
< -rwxr-xr-x 1 root root 4112 May 25 2003 mktemp
< -rwxr-xr-x 1 root root 27768 Jan 30 13:40 more
< -rwsr-xr-x 1 root root 95256 Jan 30 13:40 mount
< lrwxrwxrwx 1 root root 28 Mar 13 19:46 mount.cifs -> /etc/alternatives/mount.cifs
< -rwsr-xr-x 1 root root 14384 Mar 1 22:08 mount.cifs3
< -rwxr-xr-x 1 root root 55116 Jan 26 18:38 mv
< -rwxr-xr-x 1 root root 94220 Jul 23 2003 netstat
< -rwxr-xr-x 1 root root 15544 Jan 26 18:38 nice
< lrwxrwxrwx 1 root root 8 Mar 13 19:30 nisdomainname -> hostname
< -rwxr-xr-x 1 root root 7312 Jul 11 2003 open
< -rwsr-x--- 1 root ntools 30860 Jul 28 2003 ping
< -r-xr-xr-x 1 root root 12204 Dec 29 2003 procps3-kill
< -rwxr-xr-x 1 root root 9848 Feb 24 19:20 progress
< -r-xr-xr-x 1 root root 67436 Dec 29 2003 ps
< -rwxr-xr-x 1 root root 13848 Jan 26 18:38 pwd
< lrwxrwxrwx 1 root root 4 Mar 13 19:29 rbash -> bash
< lrwxrwxrwx 1 root root 2 Mar 13 19:40 red -> ed
< -rwxr-xr-x 1 root root 32152 Jan 26 18:38 rm
< -rwxr-xr-x 1 root root 13848 Jan 26 18:38 rmdir
< -rwxr-x--- 1 rpm rpm 80152 Feb 25 13:00 rpm
< lrwxrwxrwx 1 root root 21 Mar 13 19:31 rvi -> /etc/alternatives/rvi
< lrwxrwxrwx 1 root root 23 Mar 13 19:31 rview -> /etc/alternatives/rview
< -rwxr-xr-x 1 root root 89688 Jan 27 11:50 sed
< lrwxrwxrwx 1 root root 4 Mar 13 19:29 sh -> bash
< -rwxr-xr-x 1 root root 14520 Jan 26 18:38 sleep
< -rwxr-xr-x 1 root root 48076 Jan 26 18:38 sort
< -rwxr-xr-x 1 root root 34584 Jan 26 18:38 stat
< -rwxr-xr-x 1 root root 36856 Jan 26 18:38 stty
< -rwsr-xr-x 1 root root 20728 Jan 26 18:38 su
< -rwxr-xr-x 1 root root 12152 Jan 26 18:38 sync
< -rwxr-xr-x 1 root root 143052 Jul 23 2003 tar
< -rwxr-xr-x 1 root root 321900 Jul 29 2003 tcsh
< -rwxr-xr-x 1 root root 34424 Jan 26 18:38 touch
< -rwxr-xr-x 1 root root 11768 Jan 26 18:38 true
< -rwsr-xr-x 1 root root 30936 Jan 30 13:40 umount
< -rwxr-xr-x 1 root root 13848 Jan 26 18:38 uname
< -rwxr-xr-x 1 root root 314 Sep 22 2003 unicode_start
< -rwxr-xr-x 1 root root 12632 Jan 26 18:38 unlink
< -rwxr-xr-x 1 root root 23060 Mar 2 16:55 usleep
< lrwxrwxrwx 1 root root 20 Mar 13 19:30 vi -> /etc/alternatives/vi
< lrwxrwxrwx 1 root root 22 Mar 13 19:31 view -> /etc/alternatives/view
< lrwxrwxrwx 1 root root 21 Mar 13 19:30 vim -> /etc/alternatives/vim
< -rwxr-xr-x 1 root root 426680 Jan 12 2004 vim-minimal
< lrwxrwxrwx 1 root root 8 Mar 13 19:30 ypdomainname -> hostname
< -rwxr-xr-x 3 root root 49628 Jun 16 2003 zcat
< 226 Transfer complete.
> CWD /bin/awk
< 550 /bin/awk: Not a directory
> CWD /bin/bash2
< 550 /bin/bash2: Not a directory
> CWD /bin/csh
< 550 /bin/csh: Not a directory
> CWD /bin/dnsdomainname
< 550 /bin/dnsdomainname: Not a directory
> CWD /bin/domainname
< 550 /bin/domainname: Not a directory
> CWD /bin/ex
< 550 /bin/ex: Not a directory
> CWD /bin/gawk-3.1.2
< 550 /bin/gawk-3.1.2: Not a directory
> CWD /bin/gtar
< 550 /bin/gtar: Not a directory
> CWD /bin/mount.cifs
< 550 /bin/mount.cifs: Not a directory
> CWD /bin/nisdomainname
< 550 /bin/nisdomainname: Not a directory
> CWD /bin/rbash
< 550 /bin/rbash: Not a directory
> CWD /bin/red
< 550 /bin/red: Not a directory
> CWD /bin/rvi
< 550 /bin/rvi: Not a directory
> CWD /bin/rview
< 550 /bin/rview: Not a directory
> CWD /bin/sh
< 550 /bin/sh: Not a directory
> CWD /bin/vi
< 550 /bin/vi: Not a directory
> CWD /bin/view
< 550 /bin/view: Not a directory
> CWD /bin/vim
< 550 /bin/vim: Not a directory
> CWD /bin/ypdomainname
< 550 /bin/ypdomainname: Not a directory
> CWD //home
< 250 CWD command successful.
> PWD
< 257 "/home" is current directory.

> CWD /home
< 250 CWD command successful.
> PASV
< 227 Entering Passive Mode (XXX,XXX,XXX,XXX,XXX,XXX).
> TYPE A
< 200 Type set to A
> LIST
< 150 Opening ASCII mode data connection for file list
< 226 Transfer complete.
> CWD //initrd
< 250 CWD command successful.
> PWD
< 257 "/initrd" is current directory.

> CWD /initrd
< 250 CWD command successful.
> PASV
< 227 Entering Passive Mode (XXX,XXX,XXX,XXX,XXX,XXX).
> TYPE A
< 200 Type set to A
> LIST
< 150 Opening ASCII mode data connection for file list
< drwxr-xr-x 2 root root 1024 Mar 13 20:08 bin
< drwxr-xr-x 2 root root 1024 Mar 13 20:08 dev
< drwxr-xr-x 2 root root 1024 Mar 13 20:08 etc
< drwxr-xr-x 2 root root 1024 Mar 13 20:08 lib
< -rwxr-xr-x 1 root root 578 Mar 13 20:08 linuxrc
< drwxr-xr-x 2 root root 1024 Mar 13 20:08 loopfs
< dr-xr-x--- 116 root adm 0 Jul 12 08:04 proc
< drwxr-xr-x 2 root root 1024 Mar 13 20:08 safedev
< lrwxrwxrwx 1 root root 3 Mar 13 20:08 sbin -> bin
< drwxr-xr-x 2 root root 1024 Mar 13 20:08 sys
< drwxr-xr-x 2 root root 1024 Mar 13 20:08 sysroot
< 226 Transfer complete.
> CWD /initrd/sbin
< 250 CWD command successful.
> CWD /initrd/bin
< 250 CWD command successful.
> PWD
< 257 "/initrd/bin" is current directory.

> CWD /initrd/bin
< 250 CWD command successful.
> PASV
< 227 Entering Passive Mode (XXX,XXX,XXX,XXX,XXX,XXX).
> TYPE A
< 200 Type set to A
> LIST
< 150 Opening ASCII mode data connection for file list
< -rwxr-xr-x 1 root root 16872 Feb 12 14:32 insmod
< lrwxrwxrwx 1 root root 11 Mar 13 20:08 modprobe -> ../bin/nash
< -rwxr-xr-x 1 root root 33256 Feb 12 14:32 nash
< 226 Transfer complete.
> CWD /initrd/bin/modprobe
< 550 /initrd/bin/modprobe: Not a directory


I was denied access to some dirs like /home, otherwise I can crawl around the entyre system. You can see in the logs as I login as bullshit and later I was granted access to some root owned files and dirs. Scaring!


Regards

1. #DefaultRoot /var/ftp
Any reason to reconfigure ProFTPD to allow users access to / ?
You must allow FTP users access to only certain designated dirs on the system. Also, if these are FTP-only users you don't need actual local accounts: use virtual ones.

2. The default FTP user and your user account *do not* have rights to overwrite any system files (just try it).

All in all this just is a misconfigured FTP, otherwise nothing out of the ordinary. I won't comment on the FTP config: for FTP (if I really have to) I prefer Muddleftpd or Vsftpd, but in general I use services over SSH.

Hi :

You are right about having virtual accounts to ftp users only, I'll do that in a near future otherwise, this is absolutely a most.

• 1. I beleive that #DefaultRoot /var/ftp is commented out so it doesn't affect the behavior of the server.
  
  2.I'm sure that the server actual conf is not exactly a secure one, but still how could you explain the Nightmareweaver behaviour? When logging otherwise from a linux shell to the server I got chrooted to the logged user dir as expected to
  
  3.I believe I didn't give / access to users, at least deliberately,

Any help would be appreciated.

Regards