Update description about pureftpd_bash_env_exec

wchen-r7 · wchen-r7 · commit 7e56948191da · 2014-10-27T10:23:06.000-05:00
Make exploitable requirements more obvious
diff --git a/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb b/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb
@@ -16,9 +16,12 @@ def initialize(info = {})
       'Name'            => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection',
       'Description'     => %q(
         This module exploits the code injection flaw known as shellshock which
-        leverages specially crafted environment variables in Bash. This exploit
-        specifically targets Pure-FTPd when configured to use an external
-        program for authentication.
+        leverages specially crafted environment variables in Bash.
+
+        Please note that this exploit specifically targets Pure-FTPd compiled with the --with-extauth
+        flag, and an external bash program for authentication. If the server is not set up this way,
+        understand that even if the operating system is vulnerable to 'Shellshock', it cannot be
+        exploited via Pure-FTPd.
       ),
       'Author'          =>
         [
@@ -31,7 +34,8 @@ def initialize(info = {})
           ['CVE', '2014-6271'],
           ['OSVDB', '112004'],
           ['EDB', '34765'],
-          ['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc']
+          ['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc'],
+          ['URL', 'http://download.pureftpd.org/pub/pure-ftpd/doc/README.Authentication-Modules']
         ],
       'Payload'         =>
         {
