soup4you2
September 24th, 2003, 16:01
just thought i would inform you.. dont know if anybody here uses proftp but if you do patch it..
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Internet Security Systems Security Brief
> September 23, 2003
>
> ProFTPD ASCII File Remote Compromise Vulnerability
>
> Synopsis:
>
> ISS X-Force has discovered a flaw in the ProFTPD Unix FTP server.
ProFTPD
> is a highly configurable FTP (File Transfer Protocol) server for Unix
> that allows for per-directory access restrictions, easy configuration
of
> virtual FTP servers, and support for multiple authentication
mechanisms.
> A flaw exists in the ProFTPD component that handles incoming ASCII
file
> transfers.
>
> Impact:
>
> An attacker capable of uploading files to the vulnerable system can
> trigger a buffer overflow and execute arbitrary code to gain complete
> control of the system. Attackers may use this vulnerability to
destroy,
> steal, or manipulate data on vulnerable FTP sites.
>
> Affected Versions:
>
> ProFTPD 1.2.7
> ProFTPD 1.2.8
> ProFTPD 1.2.8rc1
> ProFTPD 1.2.8rc2
> ProFTPD 1.2.9rc1
> ProFTPD 1.2.9rc2
>
> Note: Versions previous to version 1.2.7 may also be vulnerable.
>
> For the complete ISS X-Force Security Advisory, please visit:
> http://xforce.iss.net/xforce/alerts/id/154
v902
September 24th, 2003, 16:57
It comes default on slackware FYI. Kinda sad really seeing such a robust/secure FTP server have a vuln, but hey, atleast it's not a weekly vuln (*cough* wu_ftpd *cough*)
frisco
September 24th, 2003, 17:08
I use proftpd. Last time i upgraded was almost two years ago, then due to a security vulnerability as well.
It has a fairly robust feature set, i'm surprised that more bugs for it aren't released.
wu_ftpd had a vulnerability earlier this week too, but i don't remember another one being released very recently (few months maybe).
v902
September 24th, 2003, 17:12
Just poking fun at wu_ftpd's not so great security past ;)
Proftpd does rock :)
frisco
September 24th, 2003, 17:40
If you use proftpd and are upgrading from an old enough version, note this change:
[code:1:d88d1bf234]
<Directory /*>
AllowOverwrite on
</Directory>
should now be
<Directory />
AllowOverwrite on
</Directory>
[/code:1:d88d1bf234]
I got bit by that earlier today. Last night users started complaining about not being able to upload some files and i couldn't see what was wrong with their permissions. That * made the difference.
Kernel_Killer
September 24th, 2003, 23:02
Secure FTP all the way. Something about people sniffing user/pass makes me stray away.
Strog
September 25th, 2003, 01:16
I'd have to agree with Kernel_Killer on that one. sftp is the way to go but some people don't want to give shell access to sftp users. I know I've said it before but you can install scponly shell ( http://www.sublimation.org/scponly/ ) and the users could only use scp/sftp and would be denied any shell access. There's a nice script with it to setup the user, create and chroot their folder and copy the need files into their home.
I personally haven't used any clear text mechanisms for years on my own network.
v902
September 25th, 2003, 01:19
For LAN sftp is overkill, and I can see many applications where public (non-secure) FTP is still good, and better then sftp (Many people don't have sftp, don't know what it is, and in some situations FTP is just as good)
frisco
September 25th, 2003, 01:27
Are there good and free and easy to use graphical sftp clients for windows and mac?
v902
September 25th, 2003, 02:03
I know there is a good graphical scp one for Windows, WinSCP, it's free (OSS?)
Not sure about sftp, I believe the putty suite should come with some tools?
soup4you2
September 25th, 2003, 09:16
Are there good and free and easy to use graphical sftp clients for windows and mac?
There's a ton of them..
putty has a sftp command line client.
ssh.com's windows client has a nice GUI for sftp
there's WinSCP
SecureFX
My only gripe about sftp is that it's not standard for a option to resume a download.
frisco
September 25th, 2003, 10:03
[quote:0875263dde="frisco"]Are there good and free and easy to use graphical sftp clients for windows and mac?
There's a ton of them..
putty has a sftp command line client.
[/quote:0875263dde]
That's not graphical.
ssh.com's windows client has a nice GUI for sftp
That's not free.
there's WinSCP
That's windows only, but does come the closest to being useful for me. I'm glad to see it supports sftp these days and is a bit more mature. A few more months of bug fixes and i might be comfortable recommending it.
SecureFX
That's not free.
If Fugu (gui sftp for mac) has also matured, maybe that coupled with WinSCP would satisfy the requirements.
Strog
September 25th, 2003, 10:24
Gftp is available on OS X via fink/pkgsrc but I'm not sure about any good Classic MacOS clients.
soup4you2
September 25th, 2003, 10:43
That's not graphical.
Thats why i said command line
That's not free.
ftp://ftp.ssh.com/pub/ssh/SSHSecureShellClient-3.2.5.exe
Looks free to me.. :) you just dont get all the features.
bmk1st
September 25th, 2003, 10:48
Are there good and free and easy to use graphical sftp clients for windows and mac?
filezilla (http://filezilla.sourceforge.net/) is free and is for windows only. It does work well with ftp and sftp. Not sure about mac
frisco
September 26th, 2003, 13:55
If you use proftpd and are upgrading from an old enough version, note this change
Bah, i was very wrong about what the problem really was. More details here.
http://sourceforge.net/mailarchive/message.php?msg_id=6126954
Mor_gath
November 3rd, 2003, 13:32
filezilla is great graphical sftp client
rob897
November 8th, 2003, 23:35
I installed proftp via the ports, however it will not start here is the error:
[code:1:69a467de05]error opening scoreboard: No such file or directory[/code:1:69a467de05]
I have the conf file pretty much left as default. I would only want to allow access from one machine behind my router which is 192.168.1.20, where would I add this into the conf?
[code:1:69a467de05]ServerName "ProFTP"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User nobody
Group nogroup
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
# Normally, we want files to be overwriteable.
<Directory />
AllowOverwrite on
</Directory>[/code:1:69a467de05]
Thanks
dave
November 9th, 2003, 00:10
Mmmm, sftp is the way to go. Hate it at work how we're using Plesk as a front-end for our hosting clients, and that relies on proftpd to be running on our box, which doesn't do much for security. Had to patch this baby when the patch came out, found people trying to exploit it afterwards on the box. Can't wait to get evil Plesk off that machine once we have our own front/backends in place so we can just use sftp, that's one thing i hate about looking after that box ;P
On the brighter side i suppose that at least there are only very few proftpd bugs that seem to surface as opposed to some of the other ftpd's.
- dave
frisco
November 10th, 2003, 15:39
I installed proftp via the ports, however it will not start here is the error:
[code:1:916378fc42]error opening scoreboard: No such file or directory[/code:1:916378fc42]
I believe by default it's /usr/local/var/proftpd/proftpd.scoreboard Do you have a /usr/local/var/proftpd dir? What OS are you installing it on?