Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Problems with wuftpd - password logging(?)
From: djr () haddock saa-cons co uk (Dave Roberts)
Date: Mon, 3 Apr 1995 13:54:20 +0100 (BST)

On Sun, 2 Apr 1995, John F. Haugh II wrote:

[ ...Lots of stuff about ftpd logging user's passwords... ]

Whenever I get to the office (or get my phone line to be available ...)
problem ...), it would seem that somebody reported the problem to bugtraq
before bothering to report it to the vendor.  Not cool -- no fair
complaining vendors are unresponsive if you don't give them first crack.

I have actually sent a fax off to the AIX Support Centre here in the UK, 
which was done about the same time as I sent the mail to bugtraq.  My
intention was to highlight what I see as a problem to the rest of the
subscribers, and not to complain about the way IBM code works.  And I 
certainly never complained about IBM being unresponsive.... not yet 

However, given the way the data is presented, my guess is that you
can't get around this problem.  My inclination is to believe that you've
gotten what you asked for -- every command and response exactly as it
is received by the server.  

I don't agree.  Yes, I want to see what the users are doing, and what 
files are being downloaded, but I consider it to be bad security to store 
any password in plaintext (except from the user ftp/anonymous of course), 
even if it is into a log file protected by root permissions.

If that's the case, a change in documentation
is all that is really required.  In either case, I will speak with the
component owner and release manager and see about doing something to ftpd.
No promises, tho.

I, for one, would be happier :-)

- Dave.

Dave Roberts       | Don't `surf the net', it's sad.  Get a board and surf
djr () saa-cons co uk | the break.           "I feel better than James Brown"

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]