[OpenAFS] FTPD vulnerable to glob?
Derrick J Brashear
shadow@dementia.org
Tue, 17 Apr 2001 22:10:04 -0400 (EDT)
On Tue, 17 Apr 2001, Thomas Vincent wrote:
> on 4/17/01 6:39 PM, Nathan Neulinger at nneul@umr.edu wrote:
>
> > *laugh* The ftpd server in OpenAFS is probably vulnerable to alot worse
> > than the glob() attack. You'd have to be nuts to actually use it.
>
> That is reassuring. Is anyone working on getting ACL's working in wu-ftpd or
> pro-ftpd?
We have an out-of-date but patched wu-ftpd with AFS support. Because of
the support nightmare it is, I don't recommend the use of it.
Is proftpd development going again? I wrote more than 50% of an rfc2228
plugin and got to the point where I needed hooks for IO routines so I
could encrypt and decrypt data, and was told it would be in the "next
major version" and then the author promptly fell off the planet. For us,
at least, true security is an absolute necessaity for the deployment of
any protocol. Password-based authentication on a non-encrypted connection
is unacceptable. My recommendation would be that if you can, you take the
same course.
-D