From owner-freebsd-ports Fri Apr 23 22:22:34 1999 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 5485F14DFA for ; Fri, 23 Apr 1999 22:22:32 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.2/8.9.2) id WAA45492; Fri, 23 Apr 1999 22:20:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from bradenton.cisco.com (bradenton.cisco.com [161.44.105.162]) by hub.freebsd.org (Postfix) with ESMTP id 9439B14E4A for ; Fri, 23 Apr 1999 22:21:36 -0700 (PDT) (envelope-from marcus@bradenton.cisco.com) Received: (from marcus@localhost) by bradenton.cisco.com (8.9.2/8.9.2) id BAA90009; Sat, 24 Apr 1999 01:19:02 -0400 (EDT) (envelope-from marcus) Message-Id: <199904240519.BAA90009@bradenton.cisco.com> Date: Sat, 24 Apr 1999 01:19:02 -0400 (EDT) From: marcus@bradenton.cisco.com Reply-To: jclarke@cisco.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: ports/11300: gftp 1.13 echos ftp passwords in clear-text Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 11300 >Category: ports >Synopsis: gftp 1.13 echos ftp passwords in clear-text >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Apr 23 22:20:01 PDT 1999 >Closed-Date: >Last-Modified: >Originator: Joe "Marcus" Clarke >Release: FreeBSD 3.1-RELEASE i386 >Organization: Cisco Systems, Inc. >Environment: FreeBSD 3.1-RELEASE on i586 >Description: Using the latest gftp compiled from ports (version 1.13) I noticed that ftp passwors are echoed in the logging window in clear-text. This can be a security problem is people are looking over your shoulder. >How-To-Repeat: Compile gftp and connect to a remote host. >Fix: Apply this patch to gnome-ftp.c. It corrects the problem by echoing "******" instead of the password. --- gnome-ftp.c Wed Mar 31 00:43:08 1999 +++ /home/marcus/gnome-ftp.c Sat Apr 24 01:07:01 1999 @@ -791,6 +791,7 @@ int gftp_send_command (gftp_request *request, const char *command) { struct timeval tv; fd_set rset; + char *print_command; g_return_val_if_fail (request != NULL, -2); g_return_val_if_fail (command != NULL, -2); @@ -800,8 +801,16 @@ FD_SET (request->sockfd, &rset); tv.tv_sec = 10; tv.tv_usec = 0; + if (!strncmp(command, "PASS", 4)) { + print_command = (char *)malloc(sizeof("PASS ******\r\n")); + print_command = "PASS ******\r\n"; + } + else { + print_command = (char *)malloc(sizeof(command)); + (void)strcpy(print_command,command); + } if (request->logging) { - request->logging_function (gftp_logging_send, request->user_data, command); + request->logging_function (gftp_logging_send, request->user_data, print_command); } if (select (request->sockfd+1, NULL, &rset, NULL, &tv) == 0) { >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message