ftpd leaks info which might be useful to an attacker
Lyndon Nerenberg
lyndon at orthanc.ca
Tue Sep 13 21:27:33 UTC 2016
> Thinking about how the contents of these files affects the behavior of
> the ftp DIR command caused me to realize that I actually would prefer
> it if there were some some option available for ftpd which would cause
> it to display only something like ---- where it currently attempts to
> print either a user ID name or number or a group ID name or number.
I would be concerned about programs that parse that output choking on a
field of only hyphens. It's likely safer to just report the uid and gid as
0 (or 666, or some other made-up number of your choice).
--lyndon
More information about the freebsd-security
mailing list