[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

lynx-ssl (maybe lynx as well) and apache

I have discovered something kind of disturbing on a security front...
I have installed a debian testing/unstable

If i leave the default setting for ftp from apache

Server version: Apache/1.3.29 (Debian GNU/Linux)
Server built:   Nov  5 2003 18:49:32

this seems to allow users to access their own accounts with just adding their 
username and password
I.e. ftp://[username]:[password]@[ip-address]:[port]
(port can be left out on most programs, usually 210

However if i open this with lynx

lynx --version
Lynx Version 2.8.4rel.1 (17 Jul 2001)
libwww-FM 2.14, SSL-MM 1.4.1, OpenSSL 0.9.6c
Built on linux-gnu Nov 22 2002 21:54:44

Copyrights held by the University of Kansas, CERN, and other contributors.
Distributed under the GNU General Public License.
See http://lynx.browser.org/ and the online help for more information.

See http://www.moxienet.com/lynx/ for information about SSL for Lynx.
See http://www.openssl.org/ for information about OpenSSL.

lynx ftp://[username]:[password]@[ip-address]:[port]

I am able to view the root directory not /home/username, but /

This confused me initially, I looked into it a little bit, but with my limited 
knowledge (and time) I thought I would bring it to the attention of the 
[hopefully,most likely] more knowing...

If anyone would like more information, I will try to provide it, email is 
I am not allowed to have any public information services with my isp, so i 
cannot (without threat of losing my internet connection) have a ftp server 
open to the public...

Please send me an email if you have a solution, eplanation or questions, also, 
let me know if i sent this to the wrong list.  Thank you.

Reply to: