SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   FTP (Generic) Vendors:   Sun
Sun Solaris FTP Client Displays The User Password When in Debug Mode
SecurityTracker Alert ID:  1006195
SecurityTracker URL:  http://securitytracker.com/id/1006195
CVE Reference:   CVE-2003-1078   (Links to External Site)
Updated:  Jul 7 2008
Original Entry Date:  Mar 3 2003
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in the Sun ftp(1) client for Solaris. When in debug mode, user passwords are displayed on the terminal when typed in by the user.

Sun reported that, when configured in debug mode ("ftp -d"), the ftp(1) command will display the password on the screen in clear text. A physically local user could observe the password.

According to Sun, Solaris 9 is not affected, but prior versions are.

Impact:   A physically local user could observe the password on the screen.
Solution:   Sun has released the following patches:

SPARC Platform

Solaris 2.6: patch 106522-05 or later
Solaris 7: patch 107454-06 or later
Solaris 8: patch 108899-04 or later

x86 Platform

Solaris 2.6: patch 106523-05 or later
Solaris 7: patch 107455-06 or later
Solaris 8: patch 108900-04 or later

As a workaround, Sun reports that you can, obviously, not use ftp(1M) in debug mode (-d option).

Vendor URL:  sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F51081 (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  2.6, 7, 8

Message History:   None.


 Source Message Contents

Subject:  Sun Alert 51081 (ftp)


http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F51081

Sun issued Alert 51081 warning that, when configured in debug mode ("ftp -d"), the ftp(1) command
will display the password on the screen in clear text.  A physically local user could observer the
password.

Solaris 2.6, 7, and 8 are affected.  According to Sun, Solaris 9 is not affected.

As a workaround, Sun reports that you can, obviously, not use ftp(1M) in debug mode (-d option).

Sun has released the following patches: 

SPARC Platform 
Solaris 2.6: patch 106522-05 or later 
Solaris 7: patch 107454-06 or later 
Solaris 8: patch 108899-04 or later 

x86 Platform 
Solaris 2.6: patch 106523-05 or later 
Solaris 7: patch 107455-06 or later 
Solaris 8: patch 108900-04 or later 

-----

Sun Alert ID: 51081 
Synopsis: In Debug Mode, the ftp(1) Command Displays the Password on Screen in Clear Text 
Category: Security 
Product: Solaris 
BugIDs: 4621760 
Avoidance: Workaround, Patch 
State: Resolved 
Date Released: 27-Feb-2003 
Date Closed: 27-Feb-2003 
Date Modified:


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC