Loading ...
Sorry, an error occurred while loading the content.

Re: How vulnerable is setting up anonymous read-only ftp access to my LS?

Expand Messages
  • James Stewart
    ... Yes. If you allow people to send you stuff there is always a possibility they will then find a way to execute it. Often using some other unrelated
    Message 1 of 4 , Oct 12, 2005
    • 0 Attachment
      --- In LinkStation_General@yahoogroups.com, "born_daniel"
      <born_daniel@y...> wrote:
      >
      > Well, my understanding of most ftp exploits is that you send a
      > binary file containing executable code and then you end up being
      > able to execute that code somehow.

      Yes. If you allow people to send you stuff there is always a
      possibility they will then find a way to execute it. Often using
      some other unrelated exploit you might have.

      > The version of ftp appears to be wu-ftp 2.6.1 and there are talks
      > about vulnerabilities of this version but I wasn't able to find
      > any details about what they are and what they allow...

      I never used the original OS on my LS long enough to figure this
      out, but there were two ftp servers installed on the LS, wu-ftp and
      proftp. I never quite understood which one got used for what, but
      assumed the one was used over the other when you enabled "anonymous
      FTP" on the LS's Web Interface.

      > Thanks,
      > Daniel
      >
      > --- In LinkStation_General@yahoogroups.com, "James Stewart"
      > <wartstew@y...> wrote:
      > >
      > > --- In LinkStation_General@yahoogroups.com, "born_daniel"
      > > <born_daniel@y...> wrote:
      > > >
      > > > Hi all,
      > > >
      > > > I know FTP is not secure at all and suffers many
      vulnerabilities
      > but
      > > > how much risk am I exposing my LS (and its data) to, by
      allowing
      > > > anonymous read-only access to a separate shared folder?
      > > >
      > > > Still using root-hacked 1.44 on LS I (for now) :-)
      > > >
      > > > Thanks,
      > > > Daniel
      > > >
      > >
      > > It is not as bad as you think. Just remember that nothing is
      > > encrypted. This means never try to log in across the internet
      > using a
      > > user name and password that you don't mind being totally public
      > > (remember your web browser might cache then use a user/password
      > pair
      > > that you didn't intend it to at times). Don't send or receive
      any
      > > data using FTP that you don't mind being totally public. Then
      make
      > > sure that the "ftp" and "anonymous" logins will not be allowed
      > shell
      > > access or access to anything other services you don't want the
      > public
      > > into.
      > >
      > > I forgot what version of ProFTP the LS uses by default. It is
      > > probably an older version and might have some security issues.
      You
      > > might research this a bit and see if there were ever any known
      > > exploits of any of these security issues.
      > >
      >
    Your message has been successfully submitted and would be delivered to recipients shortly.