Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: autoftp.htm

Auto_FTP v0.02 Cleartext Passwords in config file



Vulnerability

    Auto_FTP.pl

Affected

    Auto_FTP v0.02

Description

    Nightfall Security Group found  following.  Auto_FTP.pl is  a perl
    script that utilizes a shared directory, anytime something new  is
    put into  the shared  directory it  transfers it  to the specified
    ftp site.  Auto_FTP is available via freshmeat.net at

        http://apps.freshmeat.net/download/938443720/

    Auto_FTP  uses  a  configuration  file   that  can  be  found   in
    /etc/auto_ftp.conf, which contains  the username, password  and IP
    address of the  remote ftp site  in plain text.   Thereby allowing
    anyone with read access to /etc to view the login and password  to
    the ftp  site.   Another problem  is that  the shared directory by
    default is /tmp/ftp_tmp  which can be  viewed by any  users on the
    machine. If you are transferring sensitive material with  Auto_FTP
    it won't be sensitive for much longer.

    Auto_FTP does not check to see what user is sending to the  shared
    directory.   Any user  on the  local system  could copy  a file to
    /tmp/ftp_tmp and have it transferred to the ftp.

    Auto_FTP in summary:

        - Stores  login  and  password  for  remote  ftp in  plaintext
          configuration file
        - Uses a shared directory to automatically transfer files that
          by default can be used and viewed by anyone
        - Auto_FTP  does not  check to  see what  user sent a specific
          file to the shared  directory, therefore allowing anyone  to
          copy a file to the shared directory and have it  transferred
          to the ftp.  (The default shared directory is /tmp/ftp_tmp).

    In conclusion this program  while it may be  a good idea does  not
    concern  itself  with  security  precautions  and is therefore not
    reccomended when the contents of the data is important.  Reminder,
    plaintext passwords  in a  file that  can be  viewed by  anyone is
    never a good idea.

Solution

    Author Joshua Curtis has made significant updates and  improvments
    to the utility.  Auto_FTP v0.03 now:

    - Creates a random directory in a directory structure your specify
      to transfer files from
    - The  program will  now check  auto_ftp.conf to  verify that  the
      owner is correct,  if it is  not it will  not send the  file and
      will alert root
    - You can define users who can utilize the program
    - The documentation also includes on how to make auto_ftp.conf not
      readable by everyone


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH