Re: Is debian OpenBSD ftpd secure?
On Tue, 30 Jan 2001 15:45:50 Mike Moran wrote:
|
| Hi. I ran SAINT over my system today, and it highlighted a possible
| vulnerability in the "ftpd" package[1]. I believe this relates to
| "anonymous" access.
There was a security bug recently, which was fixed in the woody
release. As far as I know, it wasn't fixed in potato (but did it
exist in potato? I recompiled woody's for potato)
| Now, access to the "anonymous" account is disabled in the /etc/ftpusers
| file, which I understand leads to this:
|
| ...
| Name (ftp.houseofmoran.com:mm): anonymous
| 331 Guest login ok, send your complete e-mail address as password.
| Password:
| 530 Login incorrect.
| Login failed.
| ftp> bye
| 221 Goodbye.
|
| It fails even if you give a valid email address. I take it that this is
| because the strategy is to not give away immediately that access is
| denied, like login does with non-existent accounts?
Yes.
| However, SAINT still seems to pick this up as a vulnerability. Is this
| just because the SAINT detection routines get fooled by the
| almost-successful login, or is there actually a real vulnerability?
It shouldn't. Its "best practice" to ALWAYS ask for a password,
even if the account is disabled. Does SAINT give any more info?
| Thanks,
|
| [1]: ftpd 0.11-8potato.1
|
| --
| Mike.Moran@ee.ed.ac.uk
| Web: http://houseofmoran.com/
| AvantGo: http://houseofmoran.com/Lite/
|
|
| --
| To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
| with a subject of "unsubscribe". Trouble? Contact
| listmaster@lists.debian.org
|
Kind regards,
Berend
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Berend De Schouwer, +27-11-712-1435, UCS
Reply to: