| Summary: | www-apps/net2ftp security status | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Jakub Moc (RETIRED) <jakub> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | enhancement | CC: | patrizio.bassi |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5194 | ||
| Whiteboard: | B4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Jakub Moc (RETIRED)
2008-03-05 11:09:48 UTC
Quickly looking at 0.96, it still fails to perform any sanitization on username values, beyond the below funky comment suggesting upstream is clueless...
<snip>
function validateUsername($username) {
// --------------
// This function validates the username
// --------------
// Remove invisible characters in the beginning and at the end
$username = trim($username);
// Remove XSS code
// $username = RemoveXSS($username);
return $username;
} // end validateUsername
</snip>
The password handling also looks "optimistic" :P
<snip>
function validatePassword($password) {
// --------------
// This function validates the plain password
// --------------
// Remove invisible characters in the beginning and at the end
$password = trim($password);
// Remove XSS code
// $password = RemoveXSS($password);
return $password;
} // end validatePassword
See http://www.securityfocus.com/archive/1/archive/1/447535/100/0/threaded for the original advisory. oh boy ... masked This security bug was reported in 2006 and its is now 2008. The securityfocus tread shows securfrog being debunked pretty hard. The forums on net2ftp site has an old thread dealing with the issue basically saying the bug is on very old version, more then three years ago from the post date. http://www.net2ftp.org/forums/viewtopic.php?id=2267 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5097 also disputes this vulnerability. This "bug" has been in the wild for three years but there are no exploits using it that I am aware of. Masking it was a bit of knee jerk rush. Please reevaluate the masking. well, alone the above snippet of user/password "validation" makes any security aware person go sick. you can still unmask if you feel like it 0.96 and 0.97 out.... (In reply to comment #6) > 0.96 and 0.97 out.... I just had a look at 0.97 and the snippet from comment #1 doesn't seem to have changed.. more issues with net2ftp... http://secunia.com/advisories/30611/ mailed upstream ... without succes: <mailbox2@ibelgique.com>: host mailrecv.ifrance.com[82.196.5.130] said: 550 <mailbox2@ibelgique.com>: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command) issued last rites. will be removed in 30 days. (In reply to comment #5) > well, alone the above snippet of user/password "validation" makes any security > aware person go sick. you can still unmask if you feel like it > Please explain what is wrong with it? We are not all elite security experts. Should they be replace with library function that does proper sanitizing? If so, I could have a php script writer look into it. Ebuild removed. webapps done. Also, 10 months later... GLSA? It's just XSS, my vote is NO, the bug is extremely old, closing noglsa. |
