lynx-ssl (maybe lynx as well) and apache
I have discovered something kind of disturbing on a security front...
I have installed a debian testing/unstable
If i leave the default setting for ftp from apache
---
Server version: Apache/1.3.29 (Debian GNU/Linux)
Server built: Nov 5 2003 18:49:32
---
this seems to allow users to access their own accounts with just adding their
username and password
I.e. ftp://[username]:[password]@[ip-address]:[port]
(port can be left out on most programs, usually 210
However if i open this with lynx
---
lynx --version
Lynx Version 2.8.4rel.1 (17 Jul 2001)
libwww-FM 2.14, SSL-MM 1.4.1, OpenSSL 0.9.6c
Built on linux-gnu Nov 22 2002 21:54:44
Copyrights held by the University of Kansas, CERN, and other contributors.
Distributed under the GNU General Public License.
See http://lynx.browser.org/ and the online help for more information.
See http://www.moxienet.com/lynx/ for information about SSL for Lynx.
See http://www.openssl.org/ for information about OpenSSL.
---
lynx ftp://[username]:[password]@[ip-address]:[port]
I am able to view the root directory not /home/username, but /
This confused me initially, I looked into it a little bit, but with my limited
knowledge (and time) I thought I would bring it to the attention of the
[hopefully,most likely] more knowing...
If anyone would like more information, I will try to provide it, email is
kylem.byerly@mcleodusa.net
I am not allowed to have any public information services with my isp, so i
cannot (without threat of losing my internet connection) have a ftp server
open to the public...
Please send me an email if you have a solution, eplanation or questions, also,
let me know if i sent this to the wrong list. Thank you.
Reply to: