Date: Thu, 02 May 2002 17:23:04 -0500 From: Jorge Biquez <jbiquez@icsmx.com> To: Dan Nelson <dnelson@allantgroup.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: FTP on 4.4.STABLE with problems? Message-ID: <5.1.0.14.2.20020502172125.01f4bca0@icsmx.com> In-Reply-To: <20020502221445.GG70810@dan.emsphone.com> References: <5.1.0.14.2.20020502160148.03248c50@icsmx.com> <5.1.0.14.2.20020502160148.03248c50@icsmx.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks a lot! With this they will know the HIGHEST risk they have on their server is not that ..... Jorge Biquez At 17:14 02/05/02 -0500, you wrote: >In the last episode (May 02), Jorge Biquez said: > > On the company I'm working a client asked for a server for their > > simple and plain web pages. They asked for an FTP account and Apache > > configured. They have been working without problems. Since last month > > a new area of the IT department is "auditing" the server remotely and > > are asking for fixing the things they found wrong (or they believe it > > is wrong). According to them the FTP that is running by default on > > the 4.4.-STABLE version has problems. "Their automated report says > > it". I'm including the message they sent me at the end of this email. > > Any similar experiences on this? What have you done with clients like > > this that think that "the server they ordered to configure is wrong > > configured"?. > >Tell them to read the nessus report: > > > -------This is what they sent me as result of their auditing----- > > FTPD glob Heap Corruption ftp (21/tcp) You seem to be running an FTP > > server which is vulnerable to the 'glob heap corruption' flaw. An > > attacker may use this problem to execute arbitrary commands on this > > host. > > > > *** As Nessus solely relied on the banner of the server to issue this > > *** warning, so this alert might be a false positive > >With the 'only safe tests' flag turned on, nessus doesn't actually test >for bugs; it just checks banner strings and version numbers. FreeBSD's >FTP client has always reported > >220 hostname FTP server (Version 6.00LS) ready. > >and nessus checks that and says "possibly buggy". This bug was fixed >in FreeBSD's stock ftpd prior to the release of FreeBSD 4.3. >ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:33.ftpd-glob.v1.1.asc > >-- > Dan Nelson > dnelson@allantgroup.com > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.2.20020502172125.01f4bca0>