Re: Is debian OpenBSD ftpd secure?
On Tue, 30 Jan 2001 15:45:50 Mike Moran wrote:
| Hi. I ran SAINT over my system today, and it highlighted a possible
| vulnerability in the "ftpd" package. I believe this relates to
| "anonymous" access.
There was a security bug recently, which was fixed in the woody
release. As far as I know, it wasn't fixed in potato (but did it
exist in potato? I recompiled woody's for potato)
| Now, access to the "anonymous" account is disabled in the /etc/ftpusers
| file, which I understand leads to this:
| Name (ftp.houseofmoran.com:mm): anonymous
| 331 Guest login ok, send your complete e-mail address as password.
| 530 Login incorrect.
| Login failed.
| ftp> bye
| 221 Goodbye.
| It fails even if you give a valid email address. I take it that this is
| because the strategy is to not give away immediately that access is
| denied, like login does with non-existent accounts?
| However, SAINT still seems to pick this up as a vulnerability. Is this
| just because the SAINT detection routines get fooled by the
| almost-successful login, or is there actually a real vulnerability?
It shouldn't. Its "best practice" to ALWAYS ask for a password,
even if the account is disabled. Does SAINT give any more info?
| : ftpd 0.11-8potato.1
| Web: http://houseofmoran.com/
| AvantGo: http://houseofmoran.com/Lite/
| To UNSUBSCRIBE, email to email@example.com
| with a subject of "unsubscribe". Trouble? Contact
Berend De Schouwer, +27-11-712-1435, UCS