> Is anyone working to fix this:
>
> http://secunia.com/advisories/31464/
I'm sure Charles is thinking of a solution. But it's a really minor
issue, it's hard to imagine this could be used to intentionally obtain
login name and password. It's more that it might happen accidentally.
Just like you may type the right password at the wrong site.
--
"Lisp has all the visual appeal of oatmeal with nail clippings thrown in."
-- Larry Wall
/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
>> http://secunia.com/advisories/31464/
>
> I'm sure Charles is thinking of a solution. But it's a really minor
> issue
I agree, but I have to do something to fix this as I'm the NetBSD pkgsrc
maintainer for vim and I get daily warning about this...
Martti
Regards,
Chip Campbell
"fixed" indeed:
You check that the domain name has changed, but not the TCP port. An
FTP server on the same host, but a different port name has no business
knowing the credentials of the other server. This allows for example
collecting credentials of local users -- an FTP server set up by a
mere user will be sent credentials for the FTP server set up by root
(i.e., real user names + passwords for this machine):
FTP server set up by root:
ftp://rdancer@localhost/
FTP server set up by a mere user:
You may also want to read the advisory. It's there, right at the top:
``Once vim successfully connects to an FTP server using a user name and
password credentials, it will re-use them in all subsequent FTP
sessions, regardless of the domain name or TCP port.''
^^^^^^^^
-- http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
Cheers,
Jan.
Chip Campbell
Yes. Now that it has been shown that this is in fact insecure, and
can lead to credentials disclosure in the very environment where FTP
is secure overall (over local loopback, no snooping possible), it's
perhaps time to forgo that assumption. Requiring users to use
NetUserPass() is ridiculous.
Cheers,
Jan.
Ftp basically is an insecure protocol. It sends passwords out in the
open over the internet. Perhaps there is a specific way in which nobody
will be able to spot the password, but this is too complicated for most
users to understand. In general the statement is not to use ftp for
something where you don't want to take a risc of giving away your
password.
Trying to put a secure layer op top of an insecure protocol doesn't make
much sense. We can only try to avoid the most common mistakes a user
might make. But the general recommendation must still be not to use ftp
for things that should be secure.
--
DENNIS: Look, strange women lying on their backs in ponds handing out
swords ... that's no basis for a system of government. Supreme
executive power derives from a mandate from the masses, not from some
farcical aquatic ceremony.
"Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD