| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Apr 2004 21:28:04 +0300 From: Alex Behar <alex@...ipse.org.il> To: bugtraq@...urityfocus.com Cc: k.gavrilenko@...ont.com Subject: Re: NcFTP - password leaking -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 20 April 2004 02:46, Konstantin Gavrilenko wrote: > ncftp client does not hash the password under certain conditions. And > such information is made available to other users through `ps aux` > Risk Factor: High Wget (1.8.2 and earlier) and lftp (2.6.11 and earlier) have the very same "vulnerability". I doubt thats a problem worth posting an advisory over. Both lftp and ncftp can be runned in interactive mode and the details entered inside, so no information is disclosed to "ps". Also, in wget, you can use the --input-file=<filename> option which allows you to put the URLs in ftp://user:pass@...t/ format, one at a line in a file. Note that there will be still info on the harddrive (unless you remove the URL list from the disk after running the application is runned). In wget there isnt a way around that, so there it might be more of a "vulnerability" then ncftp or lftp. Alex -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAhWu7fDQ3s2iW3q0RAo89AJ0SuQgXKX5DODvUaiRDsp2/ZcJUCQCgw3/8 kTc+rq+E+wScAubqreOhkss= =xqeS -----END PGP SIGNATURE-----
Powered by blists - more mailing lists