Auto_FTP v0.02 Advisory

From: Ben (skaloreat_private)
Date: Tue Oct 05 1999 - 16:30:54 PDT

Next message: Paul McGovern: "Re: MicroImages MIX X Server"

Previous message: Brock Tellier: "Fwd: [Re: RH6.0 local/remote command execution]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Auto_FTP.pl v0.2 Advisory 10/5/99
Nightfall Security Group (www.nfsg.org)

Auto_FTP.pl is a perl script that utilizes a shared directory, anytime
something new is put into the shared directory it transfers it to the
specified ftp site. Auto_FTP is available via freshmeat.net at
http://apps.freshmeat.net/download/938443720/.

Auto_FTP uses a configuration file that can be found in
/etc/auto_ftp.conf, which contains the username, password and IP address
of the remote ftp site in plain text. Thereby allowing anyone
with read access to /etc to view the login and password to the ftp site.

Another problem is that the shared directory by default is /tmp/ftp_tmp
which can be viewed by any users on the machine. If you are transferring
sensitive material with Auto_FTP it won't be
sensitive for much longer.

Auto_FTP does not check to see what user is sending to the shared
directory. Any user on the local system could copy a file to
/tmp/ftp_tmp and have it transferred to the ftp.

Auto_FTP in summary:

- Stores login and password for remote ftp in plaintext configuration
file
- Uses a shared directory to automatically transfer files that by
default can be used and viewed by anyone
- Auto_FTP does not check to see what user sent a specific file to the
shared directory, therefore allowing anyone to copy a file to the shared
directory and have it transferred to the ftp. (The
default shared directory is /tmp/ftp_tmp).

In conclusion this program while it may be a good idea does not concern
itself with security precautions and is therefore not reccomended when
the contents of the data is important. Reminder,
plaintext passwords in a file that can be viewed by anyone is never a
good idea.

Nightfall Security Group (www.nfsg.org)
Advisory --AUTO_FTP.PL-- 10/5/99

--
------------------
skaloreat_private
Chairman of ToorCon (http://www.toorcon.com)
Founder of San Diego 2600 (http://www.sd2600.net)

"We hold these truths to be self-evident, that all men are created equal.."
- Declaration of Independence
------------------

Next message: Paul McGovern: "Re: MicroImages MIX X Server"
Previous message: Brock Tellier: "Fwd: [Re: RH6.0 local/remote command execution]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:49 PDT