ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #210 [Re: yet another ftpd hole (on Suns)] (1 message, 1105 bytes)
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
From: Edward Vielmetti <email@example.com>
Date: Wed 17:10:23 09/11/1988 EST
Subject: Re: yet another ftpd hole (on Suns)
References: [Thread Prev: 200] [Thread Next: 220] [Message Prev: 208] [Message Next: 209]
I have confirmed Pete's report on a Sun running this version of FTP: 220 xxxx FTP server (Version 4.7 Sun Sep 14 12:44:57 PDT 1986) ready. If your FTP is dated this early (I think it's SunOS 3.2) then contact me and I'll tell you how to exercise this bug, conditional of course on your ability to fix it on the systems in question. Contrariwise, if you're a binary-only site and are still running the original Sun binaries, I'd like to know exactly at which release level this bug disappeared. It may or may not be present in other vendors software as well. It's not present on my system (Apollo SR10): 220 starbarlounge.cc.umich.edu FTP server (Version SR10-4.32 Wed May 18 11:32:04 EDT 1988) ready. If your FTP is old and nasty, then it no doubt has the anonymous FTP hole as well. This particular bug can be exercised only if you have a login on the system in question; as such, it should be of concern to those who are worried about attacks from within as well as attacks from the outside. Whether or not you are connected to the outside world, you are at risk. --Ed ps. the more I read this list, the more concerned I am about network security. rtm's worm exploited what I assume is the first of multiple gaping and not-so-gaping holes in unix security. I fear that the academic/research community will, in fixing these problems, endanger the actual security of business installations who are dependent on the good business sense of their vendors to provide timely upgrades. It would be irresponsible of Sun not to inform their customers of this bug, and to ship a fixed version.
END OF DOCUMENT
|ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved.|