From owner-freebsd-questions Thu May 2 15:14:53 2002 Delivered-To: freebsd-questions@freebsd.org Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by hub.freebsd.org (Postfix) with ESMTP id CA74737B416 for ; Thu, 2 May 2002 15:14:47 -0700 (PDT) Received: (from dan@localhost) by dan.emsphone.com (8.12.2/8.12.3) id g42MElgS030040; Thu, 2 May 2002 17:14:47 -0500 (CDT) (envelope-from dan) Date: Thu, 2 May 2002 17:14:46 -0500 From: Dan Nelson To: Jorge Biquez Cc: freebsd-questions@FreeBSD.ORG Subject: Re: FTP on 4.4.STABLE with problems? Message-ID: <20020502221445.GG70810@dan.emsphone.com> References: <5.1.0.14.2.20020502160148.03248c50@icsmx.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.2.20020502160148.03248c50@icsmx.com> User-Agent: Mutt/1.3.28i X-OS: FreeBSD 5.0-CURRENT X-message-flag: Outlook Error Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In the last episode (May 02), Jorge Biquez said: > On the company I'm working a client asked for a server for their > simple and plain web pages. They asked for an FTP account and Apache > configured. They have been working without problems. Since last month > a new area of the IT department is "auditing" the server remotely and > are asking for fixing the things they found wrong (or they believe it > is wrong). According to them the FTP that is running by default on > the 4.4.-STABLE version has problems. "Their automated report says > it". I'm including the message they sent me at the end of this email. > Any similar experiences on this? What have you done with clients like > this that think that "the server they ordered to configure is wrong > configured"?. Tell them to read the nessus report: > -------This is what they sent me as result of their auditing----- > FTPD glob Heap Corruption ftp (21/tcp) You seem to be running an FTP > server which is vulnerable to the 'glob heap corruption' flaw. An > attacker may use this problem to execute arbitrary commands on this > host. > > *** As Nessus solely relied on the banner of the server to issue this > *** warning, so this alert might be a false positive With the 'only safe tests' flag turned on, nessus doesn't actually test for bugs; it just checks banner strings and version numbers. FreeBSD's FTP client has always reported 220 hostname FTP server (Version 6.00LS) ready. and nessus checks that and says "possibly buggy". This bug was fixed in FreeBSD's stock ftpd prior to the release of FreeBSD 4.3. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:33.ftpd-glob.v1.1.asc -- Dan Nelson dnelson@allantgroup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message