On Fri, 4 Oct 2002, Devdas Bhagat wrote:
> > (A) Project history- Postfix and Qmail have held up well, proftpd erm,
> > hasn't. I haven't followed the other two, since FTP is on my list of "Horribly
> > broken protocols I'll never support."
> I'll agree wuith this. Proftpd has not had a showstopping bug except for
> a DOS due to globbing (IIRC). There have been minor bugs, but none of
Just after Flood dropped the project I seem to recall a spate of exploits,
one after another[1]. Looking back, I count 3 definite root exploits, a
couple of other issues that'd make me not want to put it in a hostile
environment.
Personally, I'd have looked at one I hadn't run before, or the BSD one,
which has only had a couple of issues in the last few years, and I don't
think any of them were unique to that instance.
> them were the security kind.
> I haven't runa ftpd for quite some time, and when I was looking (about
> Nov/Dec 2000), proftpd was the best choice due to its easy config and
> relative security. Current status is a wholly differnt issue.
Personally, I'd look elsewhere given the history (and that's not saying it
hasn't been fixed, it's saying I don't trust the original goal of security
in the design given it's lack of compliance with that goal.) I'll give
you "easy to config," bedause it met that goal quite well, but in Nov of
2000, it was just done with a raft of expliots, bugs and a change of
maintainership- none of them particularly confidence insprining in my
opinion.
> > (B) Look at the code.
> This always works, but its a question of time on the security people's
> part.
Yes, but if you never do it, you'll never get time budgeted for it. I
used to do per-protocol risk assessments for weeks before allowing or
disallowing anything new- sometimes it wasn't overly necessary, it was
*obvious* that the answer was going to be no, but doing some of those
anyway got the organization in tune with "new stuff takes weeks of
examination."
> > > (C) Developer history.
> Good stance to go by for first filtering.
People used to grep for "Vixie" to find exploits. Sad, but true.
> > (D) Developer's understanding of the protocol and its weaknesses.
> Difficult to judge rapidly. Since the weaknesses are usually at the
> boundaries. Also, the developers understanding of the language used.
In that case use it in reverse, add points to those who can and do
articulate it well.
Paul
[1] ProFTPD 1.2 pre1-pre5 Long Path Buffer Overflow
ProFTPD 1.2 .0rc3-1.2.2 PTR hostname ACL/logging
ProFTPD 1.2 .0rc3-1.2 Globbing issue
ProFTPD 1.2 pre9-1.2 SITE DoS
ProFTPD 1.2 pre9-1.2 SIZE DoS
ProFTPD 1.2 pre9-1.2 Probably non-exploitable cwd format string
ProFTPD 1.2 pre9-1.2 Probably non-exploitable ERROR_MSG
ProFTPD 1.2 pre2-1.2 pre11 USER DoS
ProFTPD 1.2 pre1-1.2 pre10 Setproctitle() Overflow
ProFTPD 1.2 .0rc3-1.2 pre11 SQL passwords and local users
I seem to recall about pre-1 or pre2 through pre-6 or so being "bug of
the day" sorts of things.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
probertsat_private which may have no basis whatsoever in fact."
probertsonat_private Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 07:35:46 PDT