Loading ...
Sorry, an error occurred while loading the content.

Re: How vulnerable is setting up anonymous read-only ftp access to my LS?

Expand Messages
  • James Stewart
    ... It is not as bad as you think. Just remember that nothing is encrypted. This means never try to log in across the internet using a user name and password
    Message 1 of 4 , Oct 10, 2005
    • 0 Attachment
      --- In LinkStation_General@yahoogroups.com, "born_daniel"
      <born_daniel@y...> wrote:
      >
      > Hi all,
      >
      > I know FTP is not secure at all and suffers many vulnerabilities but
      > how much risk am I exposing my LS (and its data) to, by allowing
      > anonymous read-only access to a separate shared folder?
      >
      > Still using root-hacked 1.44 on LS I (for now) :-)
      >
      > Thanks,
      > Daniel
      >

      It is not as bad as you think. Just remember that nothing is
      encrypted. This means never try to log in across the internet using a
      user name and password that you don't mind being totally public
      (remember your web browser might cache then use a user/password pair
      that you didn't intend it to at times). Don't send or receive any
      data using FTP that you don't mind being totally public. Then make
      sure that the "ftp" and "anonymous" logins will not be allowed shell
      access or access to anything other services you don't want the public
      into.

      I forgot what version of ProFTP the LS uses by default. It is
      probably an older version and might have some security issues. You
      might research this a bit and see if there were ever any known
      exploits of any of these security issues.
    • born_daniel
      Well, my understanding of most ftp exploits is that you send a binary file containing executable code and then you end up being able to execute that code
      Message 2 of 4 , Oct 11, 2005
      • 0 Attachment
        Well, my understanding of most ftp exploits is that you send a
        binary file containing executable code and then you end up being
        able to execute that code somehow.

        If I use a read-only, anonymous account setup for public data (such
        as family pictures or hosting files to be accessed from discussion
        forums by supplying a link to these files), it shouldn't be very
        risky. My only concern is about my other shares under /mnt that I
        didn't allow access to the ftp server, can they be read or written
        to by some ftp exploit?

        The version of ftp appears to be wu-ftp 2.6.1 and there are talks
        about vulnerabilities of this version but I wasn't able to find any
        details about what they are and what they allow...

        Thanks,
        Daniel

        --- In LinkStation_General@yahoogroups.com, "James Stewart"
        <wartstew@y...> wrote:
        >
        > --- In LinkStation_General@yahoogroups.com, "born_daniel"
        > <born_daniel@y...> wrote:
        > >
        > > Hi all,
        > >
        > > I know FTP is not secure at all and suffers many vulnerabilities
        but
        > > how much risk am I exposing my LS (and its data) to, by allowing
        > > anonymous read-only access to a separate shared folder?
        > >
        > > Still using root-hacked 1.44 on LS I (for now) :-)
        > >
        > > Thanks,
        > > Daniel
        > >
        >
        > It is not as bad as you think. Just remember that nothing is
        > encrypted. This means never try to log in across the internet
        using a
        > user name and password that you don't mind being totally public
        > (remember your web browser might cache then use a user/password
        pair
        > that you didn't intend it to at times). Don't send or receive any
        > data using FTP that you don't mind being totally public. Then make
        > sure that the "ftp" and "anonymous" logins will not be allowed
        shell
        > access or access to anything other services you don't want the
        public
        > into.
        >
        > I forgot what version of ProFTP the LS uses by default. It is
        > probably an older version and might have some security issues. You
        > might research this a bit and see if there were ever any known
        > exploits of any of these security issues.
        >
      • James Stewart
        ... Yes. If you allow people to send you stuff there is always a possibility they will then find a way to execute it. Often using some other unrelated
        Message 3 of 4 , Oct 12, 2005
        • 0 Attachment
          --- In LinkStation_General@yahoogroups.com, "born_daniel"
          <born_daniel@y...> wrote:
          >
          > Well, my understanding of most ftp exploits is that you send a
          > binary file containing executable code and then you end up being
          > able to execute that code somehow.

          Yes. If you allow people to send you stuff there is always a
          possibility they will then find a way to execute it. Often using
          some other unrelated exploit you might have.

          > The version of ftp appears to be wu-ftp 2.6.1 and there are talks
          > about vulnerabilities of this version but I wasn't able to find
          > any details about what they are and what they allow...

          I never used the original OS on my LS long enough to figure this
          out, but there were two ftp servers installed on the LS, wu-ftp and
          proftp. I never quite understood which one got used for what, but
          assumed the one was used over the other when you enabled "anonymous
          FTP" on the LS's Web Interface.

          > Thanks,
          > Daniel
          >
          > --- In LinkStation_General@yahoogroups.com, "James Stewart"
          > <wartstew@y...> wrote:
          > >
          > > --- In LinkStation_General@yahoogroups.com, "born_daniel"
          > > <born_daniel@y...> wrote:
          > > >
          > > > Hi all,
          > > >
          > > > I know FTP is not secure at all and suffers many
          vulnerabilities
          > but
          > > > how much risk am I exposing my LS (and its data) to, by
          allowing
          > > > anonymous read-only access to a separate shared folder?
          > > >
          > > > Still using root-hacked 1.44 on LS I (for now) :-)
          > > >
          > > > Thanks,
          > > > Daniel
          > > >
          > >
          > > It is not as bad as you think. Just remember that nothing is
          > > encrypted. This means never try to log in across the internet
          > using a
          > > user name and password that you don't mind being totally public
          > > (remember your web browser might cache then use a user/password
          > pair
          > > that you didn't intend it to at times). Don't send or receive
          any
          > > data using FTP that you don't mind being totally public. Then
          make
          > > sure that the "ftp" and "anonymous" logins will not be allowed
          > shell
          > > access or access to anything other services you don't want the
          > public
          > > into.
          > >
          > > I forgot what version of ProFTP the LS uses by default. It is
          > > probably an older version and might have some security issues.
          You
          > > might research this a bit and see if there were ever any known
          > > exploits of any of these security issues.
          > >
          >
        Your message has been successfully submitted and would be delivered to recipients shortly.