Re: Problems with wuftpd - password logging(?)
Dave Roberts (djr@haddock.saa-cons.co.uk)
Mon, 3 Apr 1995 13:54:20 +0100 (BST)
On Sun, 2 Apr 1995, John F. Haugh II wrote:
> > [ ...Lots of stuff about ftpd logging user's passwords... ]
>
> Whenever I get to the office (or get my phone line to be available ...)
> ....
> problem ...), it would seem that somebody reported the problem to bugtraq
> before bothering to report it to the vendor. Not cool -- no fair
> complaining vendors are unresponsive if you don't give them first crack.
I have actually sent a fax off to the AIX Support Centre here in the UK,
which was done about the same time as I sent the mail to bugtraq. My
intention was to highlight what I see as a problem to the rest of the
subscribers, and not to complain about the way IBM code works. And I
certainly never complained about IBM being unresponsive.... not yet
anyway! :)
> However, given the way the data is presented, my guess is that you
> can't get around this problem. My inclination is to believe that you've
> gotten what you asked for -- every command and response exactly as it
> is received by the server.
I don't agree. Yes, I want to see what the users are doing, and what
files are being downloaded, but I consider it to be bad security to store
any password in plaintext (except from the user ftp/anonymous of course),
even if it is into a log file protected by root permissions.
> If that's the case, a change in documentation
> is all that is really required. In either case, I will speak with the
> component owner and release manager and see about doing something to ftpd.
> No promises, tho.
I, for one, would be happier :-)
- Dave.
-------------------+------------------------------------------------------
Dave Roberts | Don't `surf the net', it's sad. Get a board and surf
djr@saa-cons.co.uk | the break. "I feel better than James Brown"