<<< Date Index >>>     <<< Thread Index >>>

Re: NcFTP - password leaking



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 20 April 2004 02:46, Konstantin Gavrilenko wrote:

> ncftp client does not hash the password under certain conditions. And
> such information is made available to other users through `ps aux`

> Risk Factor: High

Wget (1.8.2 and earlier) and lftp (2.6.11 and earlier) have the very same 
"vulnerability". I doubt thats a problem worth posting an advisory over. Both 
lftp and ncftp can be runned in interactive mode and the details entered 
inside, so no information is disclosed to "ps". Also, in wget, you can use 
the --input-file=<filename> option which allows you to put the URLs in 
ftp://user:pass@host/ format, one at a line in a file. Note that there will 
be still info on the harddrive (unless you remove the URL list from the disk 
after running the application is runned).
In wget there isnt a way around that, so there it might be more of a 
"vulnerability" then ncftp or lftp.


Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAhWu7fDQ3s2iW3q0RAo89AJ0SuQgXKX5DODvUaiRDsp2/ZcJUCQCgw3/8
kTc+rq+E+wScAubqreOhkss=
=xqeS
-----END PGP SIGNATURE-----