COMMAND

    Rumpus FTP

SYSTEMS AFFECTED

    Rumpus FTP v1.3.3, 2.0 dev 3(MacOS 8.6, 9.1), probably earlier

PROBLEM

    Jass Seljamaa  found following.   If you  try to  make a directory
    which name is 65 characters  long, the Rumpus FTP service  and the
    computer freezes.   You can try  to force Rumpus  to quit, but  it
    never  worked  (always  crashed  when  pressed  the \'Force quit\'
    button).  Also, the passwords  are stored in plain text  (in prefs
    folder,  a  file  called  \'Rumpus  User  Database\'),  as in most
    macintosh programs, Maxum Support  said to think about  encrypting
    passwords in newer versions.

    Exploit:

        ftp 192.168.0.1

        user anonymous
        pass an@nymo.us

        mkdir aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

SOLUTION

    Vendor contacted, fixed in version 1.3.4.