[1365] in bugtraq
Re: Problems with wuftpd - password logging(?)
daemon@ATHENA.MIT.EDU (joshua geller)
Fri Mar 31 21:04:03 1995
From: joshua geller <joshua@dee.retix.com>
Date: Fri, 31 Mar 1995 15:59:20 -0800
To: haddock.saa-cons.co.uk:djr@saa-cons.co.uk
Cc: mccomb@interport.net, bugtraq@fc.net
In-Reply-To: <Pine.A32.3.91.950331143844.48150A-100000@haddock.saa-cons.co.uk> (<@haddock.saa-cons.co.uk:djr@saa-cons.co.uk>)
> On Thu, 16 Mar 1995, DaVe McComb wrote:
> > I seem to have a major problem with wuftpd version wu-2.4, in that if a
> > specific sequence of steps is taken, the user's password is logged to
> > /var/adm/messages, wtmp, and to the screen. This is happening under
> This also happens to me. I've just stepped up the amount of logging that
> occurs with our main Unix box, which is an RS/6000 running AIX 3.2.5.
> The ftpd is the standard one that IBM provide. If ftpd is invoked with a
> -d option, and syslog logs daemon activity of debug and above, then, when
> a normal user ftp's to the machine, it logs their password! Not good.
cool! add this to shipping with rexd enabled and a gratuitous backdoor
root login and IBM is FAST OVERTAKING SUN in the shipping with evil security
holes contest.
josh
