Mark Dineen

Solved by updating https://github.com/evanmiller/mod_zip/blob/808fb55e7235a201ea862e02dab612b87787d5a4/ngx_http_zip_module.c#L366 ``` 366 - sr_ctx = ngx_http_get_module_ctx(r, ngx_http_zip_module); 366 + sr_ctx = ngx_http_get_module_ctx(r->main, ngx_http_zip_module); ``` I'll send a pr

The fix in #91 didn't work. By using s3fs the module calculates the crc32 properly.

I'm also experiencing this issue. Although we can increase ulimts, that doesn't scale and shouldn't be necessary.

I've successfully demonstrated the vulnerability using this recipe: http://www.securityfocus.com/archive/1/516901 Instead of adding a RSET to SMTP, add a NOOP to FTP's STARTTLS command. You see the response to both commands,...

The vulnerability as it affects Pyftpdlib is that if the ~~STARTTLS~~ `AUTH TLS` command has a plaintext command after it, the plaintext command is accepted in the clear, and returns...

Corrected. If you pull the OpenSSL source code from my git repo and build it, there's a simple command line test. ``` ./config make make install apps/openssl s_client -quiet -starttls...

I've added a one-line fix that fixes this for me. At the end of `TLS_FTPHandler.ftp_AUTH` I added: `self.ac_in_buffer = ''` I've put it in my derived class. Supported sync clients...

Any further questions I can answer or follow up I can provide on this?

You can't do it from the download package, you have to change the source for it to hit the exploit. Please see my change set at https://github.com/mdineen/openssl/commit/18ad39bdf223c139c43dd8f82e9e29687095bb70 The issue is...

> The subrequest context is supposed to be set here: > > https://github.com/evanmiller/mod_zip/blob/808fb55e7235a201ea862e02dab612b87787d5a4/ngx_http_zip_module.c#L570-L572 > > I wonder if that's not happening for some reason. When I debug that out, the...