[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is debian OpenBSD ftpd secure?

On Tue, 30 Jan 2001 15:45:50 Mike Moran wrote:
| Hi. I ran SAINT over my system today, and it highlighted a possible
| vulnerability in the "ftpd" package[1]. I believe this relates to
| "anonymous" access.

There was a security bug recently, which was fixed in the woody
release.  As far as I know, it wasn't fixed in potato (but did it
exist in potato?  I recompiled woody's for potato)
| Now, access to the "anonymous" account is disabled in the /etc/ftpusers
| file, which I understand leads to this:
| ...
| Name (ftp.houseofmoran.com:mm): anonymous
| 331 Guest login ok, send your complete e-mail address as password.
| Password:
| 530 Login incorrect.
| Login failed.
| ftp> bye
| 221 Goodbye.
| It fails even if you give a valid email address. I take it that this is
| because the strategy is to not give away immediately that access is
| denied, like login does with non-existent accounts?

| However, SAINT still seems to pick this up as a vulnerability. Is this
| just because the SAINT detection routines get fooled by the
| almost-successful login, or is there actually a real vulnerability?

It shouldn't.  Its "best practice" to ALWAYS ask for a password,
even if the account is disabled.  Does SAINT give any more info?

| Thanks,
| [1]: ftpd 0.11-8potato.1
| -- 
| Mike.Moran@ee.ed.ac.uk 
|                    Web: http://houseofmoran.com/
|                AvantGo: http://houseofmoran.com/Lite/
| --  
| To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
| with a subject of "unsubscribe". Trouble? Contact
| listmaster@lists.debian.org
Kind regards,				  

Berend De Schouwer, +27-11-712-1435, UCS

Reply to: