Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 24 Apr 1999 01:19:02 -0400 (EDT)
From:      marcus@bradenton.cisco.com
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   ports/11300: gftp 1.13 echos ftp passwords in clear-text
Message-ID:  <199904240519.BAA90009@bradenton.cisco.com>
next in thread | raw e-mail | index | archive | help 

>Number:         11300
>Category:       ports
>Synopsis:       gftp 1.13 echos ftp passwords in clear-text
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 23 22:20:01 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator:     Joe "Marcus" Clarke
>Release:        FreeBSD 3.1-RELEASE i386
>Organization:
Cisco Systems, Inc.
>Environment:

FreeBSD 3.1-RELEASE on i586

>Description:

Using the latest gftp compiled from ports (version 1.13) I noticed that ftp passwors are echoed in the logging window in clear-text.  This can be a security problem is people are looking over your shoulder.

>How-To-Repeat:

Compile gftp and connect to a remote host.

>Fix:
	
Apply this patch to gnome-ftp.c.  It corrects the problem by echoing "******" instead of the password.


--- gnome-ftp.c	Wed Mar 31 00:43:08 1999
+++ /home/marcus/gnome-ftp.c	Sat Apr 24 01:07:01 1999
@@ -791,6 +791,7 @@
 int gftp_send_command (gftp_request *request, const char *command) {
    struct timeval tv;
    fd_set rset;
+   char *print_command;
 
    g_return_val_if_fail (request != NULL, -2);
    g_return_val_if_fail (command != NULL, -2);
@@ -800,8 +801,16 @@
    FD_SET (request->sockfd, &rset);
    tv.tv_sec = 10;
    tv.tv_usec = 0;
+   if (!strncmp(command, "PASS", 4)) {
+	print_command = (char *)malloc(sizeof("PASS ******\r\n"));
+	print_command = "PASS ******\r\n";
+   }
+   else {
+	   print_command = (char *)malloc(sizeof(command));
+	   (void)strcpy(print_command,command);
+   }
    if (request->logging) { 
-      request->logging_function (gftp_logging_send, request->user_data, command);
+      request->logging_function (gftp_logging_send, request->user_data, print_command);
    }
 
    if (select (request->sockfd+1, NULL, &rset, NULL, &tv) == 0) {



>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199904240519.BAA90009>