Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 29th August 2008, 17:40
marcusr marcusr is offline
Junior Member
 
Join Date: Aug 2008
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default Serious security issue in proftpd/mysql/Debian-Howto

Hi there,

apart from the fact that the proftpd/mysql/Debian-Howto
http://www.howtoforge.com/vsftpd_mysql_debian_etch

is simply brilliant, we figured out a pretty serious security hole:

This configuration enables system users to log in via FTP using an exclamation mark ("!") as password. On one of our Dev-Servers, I was able to log in as

ftp
proftpd
mysql
sshd

...with full access to the respective home dirs, which may be fatal if you've got your mysql on the same machine.

This can be solved by adding
AuthOrder mod_sql.c

to proftpd.conf.


greets,
marcus
Reply With Quote
Sponsored Links
  #2  
Old 30th August 2008, 18:38
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,721 Times in 2,562 Posts
Default

Quote:
Originally Posted by marcusr View Post
apart from the fact that the proftpd/mysql/Debian-Howto
http://www.howtoforge.com/vsftpd_mysql_debian_etch
Proftpd or vsftpd?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 30th August 2008, 18:48
Norman Norman is offline
HowtoForge Supporter
 
Join Date: May 2006
Posts: 242
Thanks: 0
Thanked 17 Times in 14 Posts
Default

I'm unable to replicate this behaviour in my production environment.
__________________
http://www.xh.se
Reply With Quote
  #4  
Old 30th August 2008, 21:38
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 147 Times in 128 Posts
Default

Quote:
Originally Posted by Norman View Post
I'm unable to replicate this behaviour in my production environment.
Same here.. I can not replicate this problem on my Debian Etch systems with ProFTPD
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #5  
Old 30th August 2008, 23:53
marcusr marcusr is offline
Junior Member
 
Join Date: Aug 2008
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by falko View Post
Proftpd or vsftpd?
whoops... pasted the wrong link there. that was supposed to link to the proftpd howto a few lines below...

I can replicate this behaviour on two machines now, both run on etch, I followed the howto nearly 1:1. I assume the plaintext login is the reason...

one of these machines is productive and someone already tried to run phpshell ok it - which didn't succeed because the FTP homedir is outside the webroot.

Google 'nyck.php' gives some interesting hits...
Reply With Quote
  #6  
Old 31st August 2008, 01:48
tal56 tal56 is offline
Member
 
Join Date: Oct 2007
Posts: 91
Thanks: 11
Thanked 2 Times in 2 Posts
Default

I was not able to replicate this with my Centos 5.2 install either.
Reply With Quote
  #7  
Old 31st August 2008, 02:33
Norman Norman is offline
HowtoForge Supporter
 
Join Date: May 2006
Posts: 242
Thanks: 0
Thanked 17 Times in 14 Posts
Default

Could you post your proftpd.conf ?
__________________
http://www.xh.se
Reply With Quote
  #8  
Old 1st September 2008, 17:03
marcusr marcusr is offline
Junior Member
 
Join Date: Aug 2008
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

hi,
here's my proftpd.conf (large comments left out)

Code:
------8<-------
Include /etc/proftpd/modules.conf
ServerName                      "Debian"
ServerType                      standalone
DeferWelcome                    off

MultilineRFC2228                on
DefaultServer                   on
ShowSymlinks                    on

TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200

DisplayLogin                    welcome.msg
DisplayFirstChdir               .message
ListOptions                     "-l"
UseIPv6                         off

# (if i add this, everything's ok). without, the "!"-problem returns: 
# AuthOrder mod_sql.c

DenyFilter                      \*.*/

Port                            21

MaxInstances                    30

# Set the user and group that the server normally runs at.
User                            ftpuser
Group                           ftpgroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask                           022  022
# Normally, we want files to be overwriteable.
AllowOverwrite                  on

DefaultRoot ~
UseReverseDNS off
IdentLookups off

   <Global>
   RootLogin off
   #RequireValidShell on
   </Global>

# The passwords in MySQL are encrypted using CRYPT
SQLAuthTypes            Plaintext Crypt
SQLAuthenticate         users groups


# used to connect to the database
# databasename@host database_user user_password
SQLConnectInfo  ftp@localhost proftpd xxxxxxx


# Here we tell ProFTPd the names of the database columns in the "usertable"
# we want it to interact with. Match the names with those in the db
SQLUserInfo     ftpuser userid passwd uid gid homedir shell

# Here we tell ProFTPd the names of the database columns in the "grouptable"
# we want it to interact with. Again the names match with those in the db
SQLGroupInfo    ftpgroup groupname gid members

# set min UID and GID - otherwise these are 999 each
SQLMinID        500

# create a user's home directory on demand if it doesn't exist
SQLHomedirOnDemand on

# Update count every time user logs in
SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser

# Update modified everytime user uploads or deletes a file
SQLLog  STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser

# User quotas
# ===========
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits Mb
QuotaShowQuotas on

SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_
avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"

SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ft
pquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"

SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2
}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type =
 '%{7}'" ftpquotatallies

SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies

QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally

RootLogin off
RequireValidShell off
------>8-------
proftpd 1.3.0-19
proftpd-common 1.2.10-15sarge4
proftpd-mysql 1.3.0-19

bye,
marcus
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
just dl'd + installed ubuntu 8 server... concerned about recent ssh security issue zskillz Installation/Configuration 4 27th December 2009 15:22
Final issue with falko's howto BrendanP HOWTO-Related Questions 1 9th August 2008 11:21
Security issue / Upgrade BIND henrygud Server Operation 1 23rd July 2008 11:30
A big security issue in FTP server freesqrt Installation/Configuration 8 22nd June 2008 13:45
security issue using suphp with php filemanager edwintenhaaf Installation/Configuration 3 18th August 2007 22:19


All times are GMT +2. The time now is 12:49.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.