Update description about pureftpd_bash_env_exec

Make exploitable requirements more obvious
2014-10-27 10:23:06 -05:00 · 2014-10-27 10:23:06 -05:00 · 7e56948191
parent 313c2407ad
commit 7e56948191
1 changed files with 8 additions and 4 deletions
--- a/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb
+++ b/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb
@ -16,9 +16,12 @@ class Metasploit4 < Msf::Exploit::Remote
      'Name'            => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection',
      'Description'     => %q(
        This module exploits the code injection flaw known as shellshock which
-        leverages specially crafted environment variables in Bash. This exploit
-        specifically targets Pure-FTPd when configured to use an external
-        program for authentication.
+        leverages specially crafted environment variables in Bash.
+
+        Please note that this exploit specifically targets Pure-FTPd compiled with the --with-extauth
+        flag, and an external bash program for authentication. If the server is not set up this way,
+        understand that even if the operating system is vulnerable to 'Shellshock', it cannot be
+        exploited via Pure-FTPd.
      ),
      'Author'          =>
        [
@ -31,7 +34,8 @@ class Metasploit4 < Msf::Exploit::Remote
          ['CVE', '2014-6271'],
          ['OSVDB', '112004'],
          ['EDB', '34765'],
-          ['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc']
+          ['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc'],
+          ['URL', 'http://download.pureftpd.org/pub/pure-ftpd/doc/README.Authentication-Modules']
        ],
      'Payload'         =>
        {