Bug#626524: proftpd-basic: DefaultAddress 127.0.0.1 not obeyed
Andrei Caraman
adc at dc-uoit.net
Thu May 12 16:23:22 UTC 2011
Package: proftpd-basic
Version: 1.3.3a-6squeeze1
Severity: grave
Tags: security
Justification: user security hole
After adding the "DefaultAddress 127.0.0.1" in the server config section and
restarting proftpd-basic, I can see
# /etc/init.d/proftpd restart
Stopping ftp server: proftpd.
Starting ftp server: proftpd - setting default address to 127.0.0.1
.
However, a quick "netstat -tlpe" after that shows
# netstat -tlpe
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 *:ftp *:* LISTEN proftpd 2207704 1739/proftpd: (acce
and I have confirmed I get the initial username/password dialog when
connecting from a remote client.
This has the potential of creating a false sense of security for the
administrator: we see the message about setting the default address to
127.0.0.1 and we expect no remote client can connect, when in fact anyone
can.
Regards,
adc
-- System Information:
Debian Release: 6.0.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages proftpd-basic depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf 1.5.36.1 Debian configuration management sy
ii debianutils 3.4 Miscellaneous utilities specific t
ii libacl1 2.2.49-4 Access control list shared library
ii libattr1 1:2.4.44-2 Extended attribute shared library
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libcap2 1:2.19-3 support for getting/setting POSIX.
ii libncurses5 5.7+20100313-5 shared libraries for terminal hand
ii libpam-runtime 1.1.1-6.1 Runtime support for the PAM librar
ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l
ii libssl0.9.8 0.9.8o-4squeeze1 SSL shared libraries
ii libwrap0 7.6.q-19 Wietse Venema's TCP wrappers libra
ii netbase 4.45 Basic TCP/IP networking system
ii sed 4.2.1-7 The GNU sed stream editor
ii ucf 3.0025+nmu1 Update Configuration File: preserv
ii update-inetd 4.38+nmu1 inetd configuration file updater
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
proftpd-basic recommends no packages.
Versions of packages proftpd-basic suggests:
pn openbsd-inetd | inet-su <none> (no description available)
ii openssl 0.9.8o-4squeeze1 Secure Socket Layer (SSL) binary a
pn proftpd-doc <none> (no description available)
pn proftpd-mod-ldap <none> (no description available)
pn proftpd-mod-mysql <none> (no description available)
pn proftpd-mod-odbc <none> (no description available)
pn proftpd-mod-pgsql <none> (no description available)
pn proftpd-mod-sqlite <none> (no description available)
-- debconf information:
* shared/proftpd/inetd_or_standalone: standalone
More information about the Pkg-proftpd-maintainers
mailing list