Bug 29487
| Summary: | ftpd leaks password typed as username by mistake | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Yoshihiro Koya <Yoshihiro.Koya> | ||||
| Component: | bin | Assignee: | Yar Tikhiy <yar> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | 4.4-PRERELEASE | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
|
Description
Yoshihiro Koya
2001-08-06 14:50:01 UTC
On 06-Aug-2001 Yoshihiro Koya wrote: | | It might quite often to type the password instead of username | to ftp clients by mistake. | In that case, ftpd(8) on FreeBSD logges the usenames into | /var/log/messages as follows But this information is sometimes relevant if you would like to be able to tell the difference between an attacker probing several different accounts and a normal user mistyping their username. | | Aug 6 22:19:28 presario ftpd[814]: FTP LOGIN FAILED FROM localhost, mypass | | On the other hand, evey user on the system can access /var/log/messages. | It might cause security related problems. A better way might be to log the username info to a different facility, auth, authpriv or something that's not logged to a world readable file. Mike -- Mike Heffner <mheffner@[acm.]vt.edu> Fredericksburg, VA <mikeh@FreeBSD.org> Hello, From: Mike Heffner <mheffner@novacoxmail.com> Subject: RE: bin/29487: ftpd leaks password typed as username by mistake Date: Mon, 06 Aug 2001 21:38:28 -0400 (EDT) Message-ID: <XFMail.20010806213828.mheffner@novacoxmail.com> > On 06-Aug-2001 Yoshihiro Koya wrote: > | > | It might quite often to type the password instead of username > | to ftp clients by mistake. > | In that case, ftpd(8) on FreeBSD logges the usenames into > | /var/log/messages as follows > > But this information is sometimes relevant if you would like to be able to tell > the difference between an attacker probing several different accounts and a > normal user mistyping their username. Yes. I agree with you. But, I thought at that time that the defect that ftpd may leak the password is more harmful than the defect that I'm not able to distinguish the deference between mistype and attacks. > | > | Aug 6 22:19:28 presario ftpd[814]: FTP LOGIN FAILED FROM localhost, > mypass > | > | On the other hand, evey user on the system can access /var/log/messages. > | It might cause security related problems. > > A better way might be to log the username info to a different facility, auth, > authpriv or something that's not logged to a world readable file. I agree with you again. I think that your suggestion might be a better one. koya State Changed From-To: open->analyzed While nobody has decided to commit this patch, the issue is potentially of issue to a junior hacker. Therefore this patch gets moved to analyzed, rather than suspended. State Changed From-To: analyzed->suspended Sheldon feels this is better filed as suspended. State Changed From-To: suspended->patched Since no junior hacker had arised to deal with this problem, a somewhat older one decided to peek at it. Fixed in CURRENT in the way login(1) had been using since the beginning. Thanks! Responsible Changed From-To: freebsd-bugs->yar MFC reminder. State Changed From-To: patched->closed STABLE ftpd(8) now logs bad usernames to LOG_AUTHPRIV, as does CURRENT one. |
