Date: Sat, 24 Apr 1999 01:19:02 -0400 (EDT) From: marcus@bradenton.cisco.com To: FreeBSD-gnats-submit@freebsd.org Subject: ports/11300: gftp 1.13 echos ftp passwords in clear-text Message-ID: <199904240519.BAA90009@bradenton.cisco.com>
next in thread | raw e-mail | index | archive | help
>Number: 11300 >Category: ports >Synopsis: gftp 1.13 echos ftp passwords in clear-text >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Apr 23 22:20:01 PDT 1999 >Closed-Date: >Last-Modified: >Originator: Joe "Marcus" Clarke >Release: FreeBSD 3.1-RELEASE i386 >Organization: Cisco Systems, Inc. >Environment: FreeBSD 3.1-RELEASE on i586 >Description: Using the latest gftp compiled from ports (version 1.13) I noticed that ftp passwors are echoed in the logging window in clear-text. This can be a security problem is people are looking over your shoulder. >How-To-Repeat: Compile gftp and connect to a remote host. >Fix: Apply this patch to gnome-ftp.c. It corrects the problem by echoing "******" instead of the password. --- gnome-ftp.c Wed Mar 31 00:43:08 1999 +++ /home/marcus/gnome-ftp.c Sat Apr 24 01:07:01 1999 @@ -791,6 +791,7 @@ int gftp_send_command (gftp_request *request, const char *command) { struct timeval tv; fd_set rset; + char *print_command; g_return_val_if_fail (request != NULL, -2); g_return_val_if_fail (command != NULL, -2); @@ -800,8 +801,16 @@ FD_SET (request->sockfd, &rset); tv.tv_sec = 10; tv.tv_usec = 0; + if (!strncmp(command, "PASS", 4)) { + print_command = (char *)malloc(sizeof("PASS ******\r\n")); + print_command = "PASS ******\r\n"; + } + else { + print_command = (char *)malloc(sizeof(command)); + (void)strcpy(print_command,command); + } if (request->logging) { - request->logging_function (gftp_logging_send, request->user_data, command); + request->logging_function (gftp_logging_send, request->user_data, print_command); } if (select (request->sockfd+1, NULL, &rset, NULL, &tv) == 0) { >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199904240519.BAA90009>