On Fri, 4 Oct 2002, Devdas Bhagat wrote: > > (A) Project history- Postfix and Qmail have held up well, proftpd erm, > > hasn't. I haven't followed the other two, since FTP is on my list of "Horribly > > broken protocols I'll never support." > I'll agree wuith this. Proftpd has not had a showstopping bug except for > a DOS due to globbing (IIRC). There have been minor bugs, but none of Just after Flood dropped the project I seem to recall a spate of exploits, one after another[1]. Looking back, I count 3 definite root exploits, a couple of other issues that'd make me not want to put it in a hostile environment. Personally, I'd have looked at one I hadn't run before, or the BSD one, which has only had a couple of issues in the last few years, and I don't think any of them were unique to that instance. > them were the security kind. > I haven't runa ftpd for quite some time, and when I was looking (about > Nov/Dec 2000), proftpd was the best choice due to its easy config and > relative security. Current status is a wholly differnt issue. Personally, I'd look elsewhere given the history (and that's not saying it hasn't been fixed, it's saying I don't trust the original goal of security in the design given it's lack of compliance with that goal.) I'll give you "easy to config," bedause it met that goal quite well, but in Nov of 2000, it was just done with a raft of expliots, bugs and a change of maintainership- none of them particularly confidence insprining in my opinion. > > (B) Look at the code. > This always works, but its a question of time on the security people's > part. Yes, but if you never do it, you'll never get time budgeted for it. I used to do per-protocol risk assessments for weeks before allowing or disallowing anything new- sometimes it wasn't overly necessary, it was *obvious* that the answer was going to be no, but doing some of those anyway got the organization in tune with "new stuff takes weeks of examination." > > > (C) Developer history. > Good stance to go by for first filtering. People used to grep for "Vixie" to find exploits. Sad, but true. > > (D) Developer's understanding of the protocol and its weaknesses. > Difficult to judge rapidly. Since the weaknesses are usually at the > boundaries. Also, the developers understanding of the language used. In that case use it in reverse, add points to those who can and do articulate it well. Paul [1] ProFTPD 1.2 pre1-pre5 Long Path Buffer Overflow ProFTPD 1.2 .0rc3-1.2.2 PTR hostname ACL/logging ProFTPD 1.2 .0rc3-1.2 Globbing issue ProFTPD 1.2 pre9-1.2 SITE DoS ProFTPD 1.2 pre9-1.2 SIZE DoS ProFTPD 1.2 pre9-1.2 Probably non-exploitable cwd format string ProFTPD 1.2 pre9-1.2 Probably non-exploitable ERROR_MSG ProFTPD 1.2 pre2-1.2 pre11 USER DoS ProFTPD 1.2 pre1-1.2 pre10 Setproctitle() Overflow ProFTPD 1.2 .0rc3-1.2 pre11 SQL passwords and local users I seem to recall about pre-1 or pre2 through pre-6 or so being "bug of the day" sorts of things. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 07:35:46 PDT