Date: Sun, 08 Jun 1997 15:49:16 -0700 From: David Greenman <dg@root.com> To: yossman <yossman@yoss.canweb.net> Cc: security@FreeBSD.ORG Subject: Re: ftpd security weakness on FreeBSD (fwd) Message-ID: <199706082249.PAA00116@implode.root.com> In-Reply-To: Your message of "Sun, 08 Jun 1997 12:17:06 EDT." <Pine.BSF.3.95q.970608121429.19624J-100000@yoss.canweb.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>one of my users sent me this. just wondering if anyone has heard about >this before. he claims freebsd.org is affected. ... >---------- Forwarded message ---------- >Date: Sun, 1 Jun 1997 22:14:03 +1000 >To: yossman@canweb.net >Subject: ftpd security weakness on FreeBSD > >Yoss, > >FreeBSD's ftpd has a bug (although I dont know if its a fetaure of FTP protocol >or not (maybe newer RFC's discuss it)). >Its possible to semi-hijack the ftpd into doing portscans to arbitrary >hosts/ports. A good replacement would be wu-ftp 2.4.2 beta 11 or later. There are options for disallowing PORT commands to remote ports less than 1024 (priviledged ports) or addresses other than the originator's. Enabling these options will violate the FTP RFC and might break support for ftp proxies. The options were added to FreeBSD on Aug. 5, '96. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706082249.PAA00116>