Date: Tue, 2 Dec 1997 09:56:44 -0800 (PST) From: Craig Spannring <cts@cdsnet.net> To: shimon@simon-shapiro.org Cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>, freebsd-security@FreeBSD.ORG, warpy <warpy@suburbia.com.au>, "Daniel O'Callaghan" <danny@panda.hilink.com.au>, Craig Spannring <cts@cdsnet.net> Subject: Re: Possible problem with ftpd 6.00 Message-ID: <199712021756.JAA25667@bangkok.office.cdsnet.net> In-Reply-To: <XFMail.971127122250.shimon@simon-shapiro.org> References: <3573.880574299@time.cdrom.com> <XFMail.971127122250.shimon@simon-shapiro.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Simon Shapiro writes:
> if ( strncmp(login, "ftp, MAX_LOGIN) &&
> strncmp(login "anonymous", MAX_LOGIN) ) {
> printf("Password; ")
> } else {
> printf("Your E-Mail Address, please ");
> }
>
> No ?
No.
Nice try but you are solving the wrong problem. The problem isn't the
misleading prompt, the problem is the displaying of the password.
There is no reason that information needs to show up in the process
information in the first place. The information is trivially forged
and as such is worthless.
The quick fix for this is to remove the -DSETPROCTITLE from the
makefile. A better fix would be to modify the snprintf calls to not
reference the password.
--
======================================================================
Life is short. | Craig Spannring
Ski hard, Bike fast. | cts@cdsnet.net
-------------------------------+------------------------------------
Save Cyberspace- | On the planet Vulcan, MSDOS
Shoot a Perl Developer! | would be considered illogical.
======================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712021756.JAA25667>