Re: Request for Audit: proftpd and wu-ftpd
I've been through the code a bit on both, but a full thorough audit of
them is very difficult... Neither was apparently written by people very
familiar with good security practices, and with the heaps of patches
loaded on them over time, it has gotten to the point that they're
very difficult to dig through.
This being said, if anyone wants to work on a decent audit, I'd be happy
to work with them, after I'm through digging through the CUPS source code
(which will take a while; the code-to-hole ratio, from what I've seen so
far, is pretty depressing -- and what's worse, I got a note from one
of the developers stating that they're more worried about DOS attacks than
buffer overflows and the like, because "buffer overflow attacks require
extensive knowledge of the system being attacked" or some such... I
pointed him to Aleph One's stack smashing article; hopefully it makes
proftpd 1.2.0 pre7 seems to be a better candidate, once you get used to
the style, to start on IMHO. The code *has* come a long way, with lots of
fixes since pre6. Tracking the execution path in wuftpd proved difficult
at best... but I am willing to give it another go.
On Sat, 2 Oct 1999, Martin Schulze wrote:
> Given the past security bugs in both ftp daemons and beroftpd (which
> I don't even know) I feel that it is time to do a full security audit
> on them, hoping to eliminate most of the problems contained.
> I wonder if you guys could work on this and release proper patches.
> The good thing about standards is that there are so many to choose from.
> -- Andrew S. Tanenbaum
> Please always Cc to me when replying to me on the lists.
> This mail was resent due to problems with old smarthost