[15500] in bugtraq
Concerning the LDAP Enabled Netscape FTP Server
daemon@ATHENA.MIT.EDU (Alfred Huger)
Tue Jun 27 17:54:04 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-Id: <Pine.GSO.4.21.0006270916182.23667@mail>
Message-Id: <Pine.GSO.4.21.0006270916180.23667-100000@mail>
Date: Tue, 27 Jun 2000 09:21:36 -0700
Reply-To: Alfred Huger <ah@SECURITYFOCUS.COM>
From: Alfred Huger <ah@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Over the last few days a great number of people have mailed us in regards
to the "Netscape Professional Services FTP Server Vulnerability"
(http://www.securityfocus.com/bid/1375) discovered by Michal Zalewski
<lcamtuf@tpi.pl> and posted to the Bugtraq mailing list on Wed, 21 Jun
2000.
The following mail which we recieved should shed some light on the
subject. Thanks to both Netscape and Kurt Seifried for digging into this.
Alfred Huger
VP of Engineering
SecurityFocus.com
---------- Forwarded message ----------
Date: Tue, 27 Jun 2000 16:51:00 +0200
From: Uwe Springmann <uspring@netscape.com>
To: Kurt Seifried <seifried@securityportal.com>
Cc: vuldb@securityfocus.com, lord@netscape.com
Subject: Re: Netscape ftp Server (fwd)
Kurt,
I do know your name as I am routinely reading your weekly postings. Good work!
Concerning Netscape FTP-Server: The fact is, there are versions of this
software which have the posted problems. This LDAP-aware ftp server never
was an official Netscape product but something our Professional Service
people used to supply our Enterprise Web Server with upload functionality
(especially with big ISP's and virtual domain hosting).
Every installation of this software required making adapations and
changing the code in several ways. At present we don't know which version
at which site might be vulnerable. We do know that we have installations
in Germany which are not vulnerable (the mail below refers to these
installations).
Currently we are working to do a overhaul of this piece of software to
give customers the possibility to use an LDAP-aware FTP-server, and to get
rid of these security problems. This is a high priority project and I'll
let you know when it is finished.
The BUGTRAQ people asked for a contact within Netscape for general
Netscape / iPlanet products security issues. Bob Lord (now Director for
Security with the Mozilla Project) will serve this role and could route to
the appropriate people within our company.
I will keep you posted.
Uwe
