I have discovered something kind of disturbing on a security front...
I have installed a debian testing/unstable
If i leave the default setting for ftp from apache
---
Server version: Apache/1.3.29 (Debian GNU/Linux)
Server built: Nov 5 2003 18:49:32
---
this seems to allow users to access their own accounts with just adding
their username and password
I.e. ftp://[username]:[password]@[ip-address]:[port]
(port can be left out on most programs, usually 210
However if i open this with lynx
---
lynx --version
Lynx Version 2.8.4rel.1 (17 Jul 2001)
libwww-FM 2.14, SSL-MM 1.4.1, OpenSSL 0.9.6c
Built on linux-gnu Nov 22 2002 21:54:44
Copyrights held by the University of Kansas, CERN, and other contributors.
Distributed under the GNU General Public License.
See http://lynx.browser.org/ and the online help for more information.
See http://www.moxienet.com/lynx/ for information about SSL for Lynx.
See http://www.openssl.org/ for information about OpenSSL.
---
lynx ftp://[username]:[password]@[ip-address]:[port]
I am able to view the root directory not /home/username, but /
This confused me initially, I looked into it a little bit, but with my
limited knowledge (and time) I thought I would bring it to the attention
of the [hopefully,most likely] more knowing...
If anyone would like more information, I will try to provide it, email is
kylem.byerly@mcleodusa.net
I am not allowed to have any public information services with my isp, so
i cannot (without threat of losing my internet connection) have a ftp
server open to the public...
Please send me an email if you have a solution, eplanation or questions,
also, let me know if i sent this to the wrong list. Thank you.
--
To UNSUBSCRIBE, email to debian-apache-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org