Your message dated Tue, 13 May 2008 10:12:40 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#480962: proftpd: FTP login as sytem user and * or ! as
password possible in somes cases
has caused the Debian Bug report #480962,
regarding proftpd: FTP login as sytem user and * or ! as password possible in
somes cases
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
480962: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480962
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: proftpd-mysql
Version: 1.3.0-19
Severity: critical
If:
-SQLAuthTypes contains PlainText,
-RequireValidShell is off,
-and there is no AuthOrder mod_sql.c defined
then it's possible to login as a system user with password '*' or '!'
For example the example configuration file on proftpd's website is
vulnerable:
http://www.proftpd.org/docs/configs/mysql_simple.conf
I was able to download all MySQL-databases on my server, when logging in
with username 'mysql' and password '!'
--- End Message ---
--- Begin Message ---
This is an old issue and it is also easily manageable by config.
Don't use plaintext or add system accounts to mysql table with disabled
password for instance.
On Tue, May 13, 2008 at 12:35:48AM +0200, Roel Koops wrote:
> Package: proftpd-mysql
>
> Version: 1.3.0-19
>
> Severity: critical
>
>
--
Francesco P. Lovergine
--- End Message ---
