Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Problems with wuftpd - password logging(?)
From: jfh () rpp386 cactus org (John F. Haugh II)
Date: Sun, 2 Apr 95 19:37:12 CDT


On Thu, 16 Mar 1995, DaVe McComb wrote:

I seem to have a major problem with wuftpd version wu-2.4, in that if a 
specific sequence of steps is taken, the user's password is logged to 
/var/adm/messages, wtmp, and to the screen.  This is happening under 

This also happens to me.  I've just stepped up the amount of logging that 
occurs with our main Unix box, which is an RS/6000 running AIX 3.2.5.  

The ftpd is the standard one that IBM provide.  If ftpd is invoked with a 
-d option, and syslog logs daemon activity of debug and above, then, when 
a normal user ftp's to the machine, it logs their password!  Not good.  

I wanna keep track of the ftp activity of my users, but I don't want to
see their passwords in the log file.  On AIX this is not *SO* much of a
problem as the log file is sat in /var/spool/mqueue which is mode 770 for
root.system, but it still concerns me.  Don't know what anyone else 
thinks about this.

Anyone know a way around this except from turning the log level back to
"info" only? 

-----[ syslog extract ]-------
Mar 31 14:33:09 server0 ftpd[26843]: connect from client2
Mar 31 14:33:09 server0 ftpd[26843]: <--- 220 
Mar 31 14:33:09 server0 ftpd[26843]: server0 FTP server (Version 4.9 Thu 
Sep 2 20:35:07 CDT 1993) ready.
Mar 31 14:33:40 server0 ftpd[26843]: command: USER xyz1^M 
Mar 31 14:33:40 server0 ftpd[26843]: <--- 331 
Mar 31 14:33:40 server0 ftpd[26843]: Password required for xyz1.
Mar 31 14:33:49 server0 ftpd[26843]: command: PASS momsname^M 
Mar 31 14:33:49 server0 ftpd[26843]: <--- 230 
Mar 31 14:33:49 server0 ftpd[26843]: User xyz1 logged in.
-----[ end of extract ]-------

Whenever I get to the office (or get my phone line to be available ...)
I'm going to open an internal defect report against this problem.  I've
not heard of this problem before, and given that I hear about all AIX
security problems (as long as they are called something like a security
problem ...), it would seem that somebody reported the problem to bugtraq
before bothering to report it to the vendor.  Not cool -- no fair
complaining vendors are unresponsive if you don't give them first crack.

However, given the way the data is presented, my guess is that you
can't get around this problem.  My inclination is to believe that you've
gotten what you asked for -- every command and response exactly as it
is received by the server.  If that's the case, a change in documentation
is all that is really required.  In either case, I will speak with the
component owner and release manager and see about doing something to ftpd.
No promises, tho.

In the mean time, try to keep in mind what "debug" means.  Try also to
remember that debugging is very useful in many instances any only setable
by root anyway.
-- 
John F. Haugh II  [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ]   @'s: jfh () rpp386 cactus org



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]