Bugtraq mailing list archives
Re: Problems with wuftpd - password logging(?)
From: djr () haddock saa-cons co uk (Dave Roberts)
Date: Mon, 3 Apr 1995 13:54:20 +0100 (BST)
On Sun, 2 Apr 1995, John F. Haugh II wrote:
[ ...Lots of stuff about ftpd logging user's passwords... ]Whenever I get to the office (or get my phone line to be available ...) .... problem ...), it would seem that somebody reported the problem to bugtraq before bothering to report it to the vendor. Not cool -- no fair complaining vendors are unresponsive if you don't give them first crack.
I have actually sent a fax off to the AIX Support Centre here in the UK, which was done about the same time as I sent the mail to bugtraq. My intention was to highlight what I see as a problem to the rest of the subscribers, and not to complain about the way IBM code works. And I certainly never complained about IBM being unresponsive.... not yet anyway!:)
However, given the way the data is presented, my guess is that you can't get around this problem. My inclination is to believe that you've gotten what you asked for -- every command and response exactly as it is received by the server.
I don't agree. Yes, I want to see what the users are doing, and what files are being downloaded, but I consider it to be bad security to store any password in plaintext (except from the user ftp/anonymous of course), even if it is into a log file protected by root permissions.
If that's the case, a change in documentation is all that is really required. In either case, I will speak with the component owner and release manager and see about doing something to ftpd. No promises, tho.
I, for one, would be happier :-) - Dave. -------------------+------------------------------------------------------ Dave Roberts | Don't `surf the net', it's sad. Get a board and surf djr () saa-cons co uk | the break. "I feel better than James Brown"
Current thread:
- Re: Problems with wuftpd - password logging(?) Dave Roberts (Mar 31)
- Re: Problems with wuftpd - password logging(?) John F. Haugh II (Apr 02)
- Re: Problems with wuftpd - password logging(?) Dave Roberts (Apr 03)
- Re: Problems with wuftpd - password logging(?) John F. Haugh II (Apr 02)