Re: Problems with wuftpd - password logging(?)

[djr () haddock saa-cons co uk (Dave Roberts)]

On Sun, 2 Apr 1995, John F. Haugh II wrote:

> > [ ...Lots of stuff about ftpd logging user's passwords... ]
>
> Whenever I get to the office (or get my phone line to be available ...)
> ....
> problem ...), it would seem that somebody reported the problem to bugtraq
> before bothering to report it to the vendor.  Not cool -- no fair
> complaining vendors are unresponsive if you don't give them first crack.

I have actually sent a fax off to the AIX Support Centre here in the UK, 
which was done about the same time as I sent the mail to bugtraq.  My
intention was to highlight what I see as a problem to the rest of the
subscribers, and not to complain about the way IBM code works.  And I 
certainly never complained about IBM being unresponsive.... not yet 
anyway!:)

> However, given the way the data is presented, my guess is that you
> can't get around this problem.  My inclination is to believe that you've
> gotten what you asked for -- every command and response exactly as it
> is received by the server.  

I don't agree.  Yes, I want to see what the users are doing, and what 
files are being downloaded, but I consider it to be bad security to store 
any password in plaintext (except from the user ftp/anonymous of course), 
even if it is into a log file protected by root permissions.

> If that's the case, a change in documentation
> is all that is really required.  In either case, I will speak with the
> component owner and release manager and see about doing something to ftpd.
> No promises, tho.

I, for one, would be happier :-)

- Dave.

-------------------+------------------------------------------------------
Dave Roberts       | Don't `surf the net', it's sad.  Get a board and surf
djr () saa-cons co uk | the break.           "I feel better than James Brown"