lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4194D5FD.90303@ornl.gov> Date: Fri, 12 Nov 2004 10:25:49 -0500 From: Lawrence MacIntyre <macintyrelp@...l.gov> To: KF_lists <kf_lists@...netops.com> Cc: Justin Rush <jrush@...ut.wisc.edu>, bugtraq@...urityfocus.com Subject: Re: Unsecure Ftpd on HP PSC 2510 Printer A write-only ftp server doesn't seem like a good place to do that since you can't get them back out... (nice try, though...) KF_lists wrote: > Nothing like someone using the memory on your printer to stash a few > files... > > http://www.phenoelit.de/hp/docu.html > -KF > > Lawrence MacIntyre wrote: > >> So why is this insecure? Why is this different from port 631 (ipp) or >> port 515 (lpd)? It's a printer. You give it a file, it prints it. The >> port or protocol it uses is immaterial... >> >> On Wed, 2004-11-10 at 15:26 -0600, Justin Rush wrote: >> >>> Product Name: HP PSC 2510 >>> Summary: Ftp print service is not configurable >>> >>> This printer comes with an ftp daemon which allows anonymous >>> access, and drops the user into a write only directory. By default >>> anyone from anywhere can drop a file into this directory and the >>> printer will print the document. There is no documentation about >>> this feature, nor is there anyway to change (enable/disable) it >>> via any of their software or on the printer itself. HP Tech. >>> support says that if you don't want this feature then you should >>> hook up the printer as a local printer, however this printer >>> comes with both wireless and wired connectors on the back. >>> >>> Justin Rush >>> jrush@...ut.wisc.edu >>
Powered by blists - more mailing lists