[12660] in bugtraq
ProFTPd - mod_sqlpw.c
daemon@ATHENA.MIT.EDU (Todd C. Campbell)
Fri Nov 19 17:51:33 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <38358691.D85D4EA7@net-link.net>
Date: Fri, 19 Nov 1999 17:19:13 +0000
Reply-To: toddc@net-link.net
From: "Todd C. Campbell" <toddc@NET-LINK.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
A member of the proftpd mailing list and myself discovered a problem
with proftpd with mod_sqlpw.c optional module compiled in.
Unix last command reveals passwords where the username should be.
A patch was sent to the mailing list, however, the patch only protects
ftp localhost not ftp remotehost.
Johnie Ingram (Author of mod_sqlpw.c) was notified, as well as, the rest
of the mailing list.
I suggest the following work around:
<Global>
Wtemplog off
</Global>
Wtmplog details below:
WtmpLog
Syntax: WtmpLog on|off|NONE
Default: WtmpLog on
Context: server config, <VirtualHost>, <Anonymous>, <Global>
Compatibility: 1.1.7 and later
The WtmpLog directive controls proftpd's logging of ftp connections to
the host system's wtmp file (used by such commands
as `last'). By default, all connections are logged via wtmp.
_Todd
