On Tue, 30 Jan 2001 15:45:50 Mike Moran wrote: | | Hi. I ran SAINT over my system today, and it highlighted a possible | vulnerability in the "ftpd" package[1]. I believe this relates to | "anonymous" access.
There was a security bug recently, which was fixed in the woody release. As far as I know, it wasn't fixed in potato (but did it exist in potato? I recompiled woody's for potato) | Now, access to the "anonymous" account is disabled in the /etc/ftpusers | file, which I understand leads to this: | | ... | Name (ftp.houseofmoran.com:mm): anonymous | 331 Guest login ok, send your complete e-mail address as password. | Password: | 530 Login incorrect. | Login failed. | ftp> bye | 221 Goodbye. | | It fails even if you give a valid email address. I take it that this is | because the strategy is to not give away immediately that access is | denied, like login does with non-existent accounts? Yes. | However, SAINT still seems to pick this up as a vulnerability. Is this | just because the SAINT detection routines get fooled by the | almost-successful login, or is there actually a real vulnerability? It shouldn't. Its "best practice" to ALWAYS ask for a password, even if the account is disabled. Does SAINT give any more info? | Thanks, | | [1]: ftpd 0.11-8potato.1 | | -- | [EMAIL PROTECTED] | Web: http://houseofmoran.com/ | AvantGo: http://houseofmoran.com/Lite/ | | | -- | To UNSUBSCRIBE, email to [EMAIL PROTECTED] | with a subject of "unsubscribe". Trouble? Contact | [EMAIL PROTECTED] | Kind regards, Berend -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS