From owner-freebsd-security  Tue Dec  2 09:57:42 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id JAA18741
          for security-outgoing; Tue, 2 Dec 1997 09:57:42 -0800 (PST)
          (envelope-from owner-freebsd-security)
Received: from bangkok.office.cdsnet.net (bangkok.office.cdsnet.net [204.118.245.49])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA18734
          for <freebsd-security@FreeBSD.ORG>; Tue, 2 Dec 1997 09:57:39 -0800 (PST)
          (envelope-from cts@bangkok.office.cdsnet.net)
Received: (from cts@localhost)
	by bangkok.office.cdsnet.net (8.8.8/8.8.5) id JAA25667;
	Tue, 2 Dec 1997 09:56:44 -0800 (PST)
Date: Tue, 2 Dec 1997 09:56:44 -0800 (PST)
Message-Id: <199712021756.JAA25667@bangkok.office.cdsnet.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: Craig Spannring <cts@cdsnet.net>
To: shimon@simon-shapiro.org
Cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>, freebsd-security@FreeBSD.ORG,
        warpy <warpy@suburbia.com.au>,
        "Daniel O'Callaghan" <danny@panda.hilink.com.au>,
        Craig Spannring <cts@cdsnet.net>
Subject: Re: Possible problem with ftpd 6.00
In-Reply-To: <XFMail.971127122250.shimon@simon-shapiro.org>
References: <3573.880574299@time.cdrom.com>
	<XFMail.971127122250.shimon@simon-shapiro.org>
X-Mailer: VM 6.31 under Emacs 19.34.1
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Simon Shapiro writes:
 > if ( strncmp(login, "ftp, MAX_LOGIN) && 
 >      strncmp(login "anonymous", MAX_LOGIN) ) {
 >   printf("Password; ")
 > } else {
 >   printf("Your E-Mail Address, please ");
 > }
 > 
 > No ?


No. 

Nice try but you are solving the wrong problem.  The problem isn't the
misleading prompt, the problem is the displaying of the password.
There is no reason that information needs to show up in the process
information in the first place.  The information is trivially forged
and as such is worthless.

The quick fix for this is to remove the -DSETPROCTITLE from the
makefile.  A better fix would be to modify the snprintf calls to not
reference the password.

-- 
======================================================================
 Life is short.                 | Craig Spannring 
      Ski hard, Bike fast.      | cts@cdsnet.net
 -------------------------------+------------------------------------
 Save Cyberspace-               | On the planet Vulcan, MSDOS   
    Shoot a Perl Developer!     | would be considered illogical.
======================================================================