[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Proftpd

On Sun, Feb 25, 2001 at 02:06:12PM -0500, Trond Eivind Glomsrød wrote:
> > > More security problems
> > Excuse me? Could you please put some meat into this claim?
> Go to Securityfocus, do a search and be scared.

I _am_ scared. This is why I favour ProFTPD.

After stamping out the bugs which affected both, duplicates, and
local-only problems we get:


* 2001-01-23: Wu-Ftpd Debug Mode Client Hostname Format String Vulnerability
* 2000-06-22: Wu-Ftpd Remote Format String Stack Overwrite Vulnerability
* 1999-12-20: Multiple Vendor FTP Conversion Vulnerability
* 1999-10-21: Wu-ftpd SITE NEWER Denial of Service Vulnerability
* 1999-10-19: Wu-ftpd message Buffer Overflow Vulnerability
* 1999-08-22: Multiple Vendor Wu-Ftpd Buffer Overflow Vulnerability
* 1995-11-30: wu-ftpd /bin SITE EXEC Misconfiguration Vulnerability
* 1995-07-12: Multiple Vendor FTP Bounce Attack Vulnerability


* 2000-12-20: ProFTPD SIZE Remote Denial of Service Vulnerability
* 2000-12-19: ProFTPD USER Remote Denial of Service Vulnerability
* 1999-08-27: ProFTPD Remote Buffer Overflow

So where do you see "more security problems" with ProFTPD than with

BTW: you can stamp out the ProFTPD SIZE DoS because it happens only if
ProFTPD was installed incorrect by the administrator [no write access to
it's scoreboard file]. Leaving us with one real remote DoS and one unique
remote root hole. The wu-ftpd list speaks for itself. There is a reason
why it's called "wu-rootd".

Don't misunderstand me... I don't want no "holy war". Please keep this
discussion on facts. And the facts regarding security are quite clear.

Best regards,

entire systems GmbH         | droesen entire-systems com
Internet Services           | Phone: +49 2624 9550-55 
Ferbachstrasse 12           | Fax:   +49 2624 9550-20
D-56203 Hoehr-Grenzhausen   | http://www.entire-systems.com/

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]