On Tuesday 20 April 2004 02:46, Konstantin Gavrilenko wrote:
> ncftp client does not hash the password under certain conditions. And
> such information is made available to other users through `ps aux`
> Risk Factor: High
Wget (1.8.2 and earlier) and lftp (2.6.11 and earlier) have the very same
"vulnerability". I doubt thats a problem worth posting an advisory over. Both
lftp and ncftp can be runned in interactive mode and the details entered
inside, so no information is disclosed to "ps". Also, in wget, you can use
the --input-file=<filename> option which allows you to put the URLs in
ftp://user:pass@host/ format, one at a line in a file. Note that there will
be still info on the harddrive (unless you remove the URL list from the disk
after running the application is runned).
In wget there isnt a way around that, so there it might be more of a
"vulnerability" then ncftp or lftp.
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Hash: SHA1
On Tuesday 20 April 2004 02:46, Konstantin Gavrilenko wrote:
> ncftp client does not hash the password under certain conditions. And
> such information is made available to other users through `ps aux`
> Risk Factor: High
Wget (1.8.2 and earlier) and lftp (2.6.11 and earlier) have the very same
"vulnerability". I doubt thats a problem worth posting an advisory over. Both
lftp and ncftp can be runned in interactive mode and the details entered
inside, so no information is disclosed to "ps". Also, in wget, you can use
the --input-file=<filename> option which allows you to put the URLs in
ftp://user:pass@host/ format, one at a line in a file. Note that there will
be still info on the harddrive (unless you remove the URL list from the disk
after running the application is runned).
In wget there isnt a way around that, so there it might be more of a
"vulnerability" then ncftp or lftp.
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAhWu7fDQ3s2iW3q0RAo89AJ0SuQgXKX5DODvUaiRDsp2/ZcJUCQCgw3/8
kTc+rq+E+wScAubqreOhkss=
=xqeS
-----END PGP SIGNATURE-----
[ reply ]