[317] in linux-security and linux-alert archive
wu-ftp - visible passwords.
daemon@ATHENA.MIT.EDU (Derric Scott)
Sat Aug 12 14:19:29 1995
From: Derric Scott <dtscott@scott.net>
To: linux-security@tarsier.cv.nrao.edu
Date: Wed, 9 Aug 1995 00:56:14 -0500 (CDT)
Cc: dtscott@koala.scott.net (Derric Scott)
[mod: I don't see this as a real problem, but it maight interest
some of you nevertheless. Followups to Derric, please. --okir]
Hello!
Well, I'm not an expert at either of the two programs below, however,
I just now saw this and thought I'd be worth comments from others who
may know them better:
I just unzipped a version of "WS_FTP - WinSock_FTP" for MS-Windows and
checked it out. I filled out "anonymous" for the login name, then, like
a dummy, stuck my real password in instead of the traditional E-mail
address. I forgot about this quickly and started a 2 Meg file download
from the Linux box (via modem - a fairly long procedure).
Well, imagine my surprise when I did a "ps afux" on the Linux machine
and saw my "anonymous/MY_REAL_PASSWORD" out there for anyone to see!!!!
My Linux machine is running wu_ftp.
Does anyone else see this as a security problem of sorts? Why is the
password stuck there at all (and there was no "@" in it)? Are there
options to wu_ftp to prevent this behavior?? Is it something the WS_FTP
program did?
Derric
--
Derric Scott Scott Network Services, Inc. P. O. Box 361353
derric@scott.net (205)987-5889 Birmingham, AL 35236
