httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@apache.org>
Subject Re: locus.apache.org hacked by white hats; FTP down for good, bugzilla down until audited.
Date Thu, 04 May 2000 08:09:50 GMT
On Thu, 4 May 2000, James Sutherland wrote:
> A more serious question, though: Having got to a shell account via ftpd
> and/or bugzilla, how did they get root??

It'll be described in the bugtraq post.

> > HTTP clients that there is no point to having it up, save for mirroring,
> > and we allow rsync and cvsup for that.  I will be contacting the mirror
> > site admins list to communicate this.
> 
> That may be overkill; simply replacing it with a read-only "integrated"
> ftpd should do the trick? (i.e. no way to exec() anything, no way to
> change content, minimal opportunity for buffer overflow exploits)

It's another daemon to have to worry about the security of, against buffer
overflow attacks, misconfiguration, and the like.  There's only one ftp
daemon I'd categorically trust, and that's DJB's "publicfile", but DJB
decided to use a different format for rendering directory listings that
make it largely unusable for browsing.

At this point, in my opinion, it's like asking why we don't support
gopher.

	Brian




Mime
View raw message