Is debian OpenBSD ftpd secure?
Hi. I ran SAINT over my system today, and it highlighted a possible
vulnerability in the "ftpd" package[1]. I believe this relates to
"anonymous" access.
Now, access to the "anonymous" account is disabled in the /etc/ftpusers
file, which I understand leads to this:
...
Name (ftp.houseofmoran.com:mm): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
530 Login incorrect.
Login failed.
ftp> bye
221 Goodbye.
It fails even if you give a valid email address. I take it that this is
because the strategy is to not give away immediately that access is
denied, like login does with non-existent accounts?
However, SAINT still seems to pick this up as a vulnerability. Is this
just because the SAINT detection routines get fooled by the
almost-successful login, or is there actually a real vulnerability?
Thanks,
[1]: ftpd 0.11-8potato.1
--
Mike.Moran@ee.ed.ac.uk
Web: http://houseofmoran.com/
AvantGo: http://houseofmoran.com/Lite/
Reply to: