RE: Automatic FTP account creation

From: Kit (kit@smallfoxx.com)
Date: 05/28/02 

From: "Kit" <kit@smallfoxx.com>
To: "Stefan Osterlitz" <osterlitz@p-p.de>, <lists@tigerteam.cc>, <security-basics@securityfocus.com>
Date: Tue, 28 May 2002 15:38:54 -0500

>-----Original Message-----
>From: Stefan Osterlitz [mailto:osterlitz@p-p.de]
>To: lists@tigerteam.cc; security-basics@securityfocus.com
>
>>Platform is not important, can be a UNIX or NT based FTP server. This
>>request has obvious security issues but if you knew the client you'd
>>agree this is the least of their worries.
>
>it is. this would be a screaming horror under NT with IIS.. IMHO
>
>Stefan Osterlitz
>
Okay, what exactly is the basis for this fear mongering?

For starters, your talking about only facing the FTP to the public and not
even a Web interface, so you don't have to worry about extra ISAPI filters
being installed. Secondly, the only ISAPI filter you would need for the
internal website is ASP to create the dynamic page and interpret the code so
you can remove all the rest. Also, the authentication, storage, and
management of the ID's are built into the OS and are easily scriptable with
built-in functionality easing the implementation.

It'd be extremely easy to script, especially once the base FTP site is setup
and properly configured; I've done dozens of similar such tasks before.

To simply say its a "screaming horror" is outrageous and borders on slander.
Any poorly setup system would be vulnerable regardless of underlying
OS/Application; they all require knowledge and planning.

That all being said, it is dependant on what services and products you're
most comfortable with. If you're more familiar with installing, securing,
and managing a Unix solution, there are probably hundreds out there (such as
pure-ftpd). If you're more familiar with installing, securing, and managing
Win32 solutions, there are dozens out there (including NT/IIS and WS_FTP).
In the end, go with the one you are more able to aptly setup securely for
your customer.

-K

Relevant Pages

  • Re: Frontpage, CGI, perl and uploading
    ... Ron Symonds (Microsoft MVP - FrontPage) ... on my copy of FP 2003 CGI is defaulted to ASCII. ... > happily, once the permissions are properly set on the Unix side, FP ... when using FTP - the errors WILL happen, no matter how careful you are. ...
    (microsoft.public.frontpage.client)
  • Re: FTP serious error... HELP!
    ... Subject: FTP serious error... ... We are downloading Z/os 1.9 Serverpac but I cant see how I touched our ... I am not sure what UNIX "message catalog" is out of sync with your ftp ... Set 1 msg 2: 125 Sending file via NJE to requested destination. ...
    (bit.listserv.ibm-main)
  • RE: FTP has extra CR
    ... A vendor has been FTPing a file from their mainframe to our Unix ... Do one of us need to change an FTP parm? ... Then ftp the "output.file" to your z/OS system. ...
    (bit.listserv.ibm-main)
  • Re: ftp recursively
    ... Whether you're using ftp, rcp, or rsync is a completely separate issue to whether you're running over ssl. ... There are various clients and servers built on it, including the traditional ftp command-line tools on Unix and Windows. ...
    (comp.lang.python)
  • Re: resizing JPEGs --- SOLVED
    ... Unix systems, etc.), I'd probably switch to it, but I'm trying to ... then send me a patch file to B) windows ... I originally wrote JStrack for Unix, designing it to get its data ... ftp from the NHC/TPC's ftp site.... ...
    (comp.lang.tcl)