Bugtraq mailing list archives
Concerning the LDAP Enabled Netscape FTP Server
From: ah () SECURITYFOCUS COM (Alfred Huger)
Date: Tue, 27 Jun 2000 09:21:36 -0700
Over the last few days a great number of people have mailed us in regards to the "Netscape Professional Services FTP Server Vulnerability" (http://www.securityfocus.com/bid/1375) discovered by Michal Zalewski <lcamtuf () tpi pl> and posted to the Bugtraq mailing list on Wed, 21 Jun 2000. The following mail which we recieved should shed some light on the subject. Thanks to both Netscape and Kurt Seifried for digging into this. Alfred Huger VP of Engineering SecurityFocus.com ---------- Forwarded message ---------- Date: Tue, 27 Jun 2000 16:51:00 +0200 From: Uwe Springmann <uspring () netscape com> To: Kurt Seifried <seifried () securityportal com> Cc: vuldb () securityfocus com, lord () netscape com Subject: Re: Netscape ftp Server (fwd) Kurt, I do know your name as I am routinely reading your weekly postings. Good work! Concerning Netscape FTP-Server: The fact is, there are versions of this software which have the posted problems. This LDAP-aware ftp server never was an official Netscape product but something our Professional Service people used to supply our Enterprise Web Server with upload functionality (especially with big ISP's and virtual domain hosting). Every installation of this software required making adapations and changing the code in several ways. At present we don't know which version at which site might be vulnerable. We do know that we have installations in Germany which are not vulnerable (the mail below refers to these installations). Currently we are working to do a overhaul of this piece of software to give customers the possibility to use an LDAP-aware FTP-server, and to get rid of these security problems. This is a high priority project and I'll let you know when it is finished. The BUGTRAQ people asked for a contact within Netscape for general Netscape / iPlanet products security issues. Bob Lord (now Director for Security with the Mozilla Project) will serve this role and could route to the appropriate people within our company. I will keep you posted. Uwe
Current thread:
- Sendmail 8.10.2, Linux 2.4.0 - capabilities Valdis Kletnieks (Jun 08)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Kyle Sparger (Jun 08)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities xdr (Jun 09)
- format bugs, in addition to the wuftpd bug Lamagra Argamal (Jun 24)
- Re: format bugs, in addition to the wuftpd bug H D Moore (Jun 26)
- iMesh 1.02 vulnerability Blue Panda (Jun 29)
- Re: format bugs, in addition to the wuftpd bug Jason Axley (Jun 29)
- Concerning the LDAP Enabled Netscape FTP Server Alfred Huger (Jun 27)
- Glftpd privpath bugs... +fix Raymond Dijkxhoorn (Jun 26)
- Re: Glftpd privpath bugs... +fix Scott (Jun 27)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Kyle Sparger (Jun 08)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel Sergio Bruder (Jun 08)
- Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 Wojciech Purczynski (Jun 08)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
- IBM WebSphere JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 12)
- Using IP Filter to protect FW-1 4.0 (fwd) Darren Reed (Jun 12)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)