ProFTPd - mod_sqlpw.c

From: Todd C. Campbell (toddc@net-link.net)
Date: Fri Nov 19 1999 - 09:19:13 PST

Next message: Mixter: "local users can panic linux kernel (was: SuSE syslogd advisory)"

Previous message: Chris Calabrese: "Re: Oracle 8 root exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A member of the proftpd mailing list and myself discovered a problem
with proftpd with mod_sqlpw.c optional module compiled in.

Unix last command reveals passwords where the username should be.
A patch was sent to the mailing list, however, the patch only protects
ftp localhost not ftp remotehost.

Johnie Ingram (Author of mod_sqlpw.c) was notified, as well as, the rest
of the mailing list.

I suggest the following work around:

<Global>
Wtemplog off
</Global>

Wtmplog details below:
WtmpLog

Syntax: WtmpLog on|off|NONE
Default: WtmpLog on
Context: server config, <VirtualHost>, <Anonymous>, <Global>
Compatibility: 1.1.7 and later

The WtmpLog directive controls proftpd's logging of ftp connections to
the host system's wtmp file (used by such commands
as `last'). By default, all connections are logged via wtmp.


 _Todd

Next message: Mixter: "local users can panic linux kernel (was: SuSE syslogd advisory)"
Previous message: Chris Calabrese: "Re: Oracle 8 root exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:23 PDT