Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 06 Aug 2001 22:49:17 +0900
From:      Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/29487: ftpd leaks password typed as username by mistake
Message-ID:  <20010806224917T.koya@pluto.math.yokohama-cu.ac.jp>
next in thread | raw e-mail | index | archive | help 


>Number:         29487
>Category:       bin
>Synopsis:       ftpd leaks password typed as username by mistake
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 06 06:50:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Yoshihiro Koya
>Release:        FreeBSD 4.4-PRERELEASE i386
>Organization:
Yokohama City Univ., Dept. of Math. Sci.
>Environment:
System: FreeBSD presario.my.domain 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #0: Mon Aug 6 18:00:24 JST 2001 root@presario.my.domain:/usr/obj/usr/src/sys/presario i386

ftpd.c:
     $FreeBSD: src/libexec/ftpd/ftpd.c,v 1.62.2.10 2001/07/19 05:44:08 dd Exp $
>Description:
It might quite often to type the password instead of username 
to ftp clients by mistake.
In that case, ftpd(8) on FreeBSD logges the usenames into
/var/log/messages as follows

	Aug  6 22:19:28 presario ftpd[814]: FTP LOGIN FAILED FROM localhost, mypass 

On the other hand, evey user on the system can access /var/log/messages.
It might cause security related problems. 
>How-To-Repeat:
	Type your password as a username to ftp.
	And check your /var/log/messages.
>Fix:

Index: ftpd.c
===================================================================
RCS file: /home/ncvs/src/libexec/ftpd/ftpd.c,v
retrieving revision 1.62.2.10
diff -u -r1.62.2.10 ftpd.c
--- ftpd.c	2001/07/19 05:44:08	1.62.2.10
+++ ftpd.c	2001/08/06 13:34:11
@@ -1228,9 +1228,15 @@
 		if (rval) {
 			reply(530, "Login incorrect.");
 			if (logging)
-				syslog(LOG_NOTICE,
-				    "FTP LOGIN FAILED FROM %s, %s",
-				    remotehost, curname);
+				if (getpwnam(curname)){
+					syslog(LOG_NOTICE,
+					    "FTP LOGIN FAILED FROM %s, %s",
+					    remotehost, curname);
+				} else {
+					syslog(LOG_NOTICE,
+					    "FTP LOGIN FAILED FROM %s, (unknown user)",
+					    remotehost);
+				}
 			pw = NULL;
 			if (login_attempts++ >= 5) {
 				syslog(LOG_NOTICE,
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010806224917T.koya>