Land rapid7#4078, pureftpd_bash_env_exec desc. update

wvu · wvu · commit 090d9b95d13d · 2014-10-27T12:12:09.000-05:00
diff --git a/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb b/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb
@@ -15,10 +15,13 @@ def initialize(info = {})
     super(update_info(info,
       'Name'            => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection',
       'Description'     => %q(
-        This module exploits the code injection flaw known as shellshock which
-        leverages specially crafted environment variables in Bash. This exploit
-        specifically targets Pure-FTPd when configured to use an external
-        program for authentication.
+        This module exploits the code injection flaw known as Shellshock, which leverages specially
+        crafted environment variables in Bash.
+
+        Please note that this exploit specifically targets Pure-FTPd compiled with the --with-extauth
+        flag, and an external Bash program for authentication. If the server is not set up this way,
+        understand that even if the operating system is vulnerable to Shellshock, it cannot be
+        exploited via Pure-FTPd.
       ),
       'Author'          =>
         [
@@ -31,7 +34,8 @@ def initialize(info = {})
           ['CVE', '2014-6271'],
           ['OSVDB', '112004'],
           ['EDB', '34765'],
-          ['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc']
+          ['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc'],
+          ['URL', 'http://download.pureftpd.org/pub/pure-ftpd/doc/README.Authentication-Modules']
         ],
       'Payload'         =>
         {
