Is debian OpenBSD ftpd secure?

To: Debian Security List <debian-security@lists.debian.org>
Subject: Is debian OpenBSD ftpd secure?
From: Mike Moran <Mike.Moran@ee.ed.ac.uk>
Date: Tue, 30 Jan 2001 13:45:50 +0000
Message-id: <[🔎] 3A76C58E.B16C2053@ee.ed.ac.uk>

Hi. I ran SAINT over my system today, and it highlighted a possible
vulnerability in the "ftpd" package[1]. I believe this relates to
"anonymous" access.

Now, access to the "anonymous" account is disabled in the /etc/ftpusers
file, which I understand leads to this:

...
Name (ftp.houseofmoran.com:mm): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
530 Login incorrect.
Login failed.
ftp> bye
221 Goodbye.

It fails even if you give a valid email address. I take it that this is
because the strategy is to not give away immediately that access is
denied, like login does with non-existent accounts?

However, SAINT still seems to pick this up as a vulnerability. Is this
just because the SAINT detection routines get fooled by the
almost-successful login, or is there actually a real vulnerability?

Thanks,

[1]: ftpd 0.11-8potato.1

-- 
Mike.Moran@ee.ed.ac.uk 
                   Web: http://houseofmoran.com/
               AvantGo: http://houseofmoran.com/Lite/

Reply to:

Follow-Ups:
- Re: Is debian OpenBSD ftpd secure?
  - From: Berend De Schouwer <bds@jhb.ucs.co.za>

Prev by Date: glibc LD_PRELOAD
Next by Date: Re: Is debian OpenBSD ftpd secure?
Previous by thread: Re: glibc LD_PRELOAD
Next by thread: Re: Is debian OpenBSD ftpd secure?
Index(es):
- Date
- Thread