The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Friday, February 24, 2006

“You're running ancient and decrepid software. And you're momma dresses you funny.”

Two months ago there was a security scan done against one of our customer's managed servers, and the report came back with a bazillion things they (the security scanning company) didn't like. So we spent the time securing the network path and building a new server from scratch, using the latest versions of Apache, ProFTPd, etc, built from tarballs (the distribution was daring to use ancient, decrepid, months old versions of said software—how dare they!).

So it was earlier this week that a security scan (done by another company this time—the report is only a few pages long instead of the five hundred plus from the other company) and I just now saw the report.

Emphasis added
TCP21ftp1The remote host [that's us] is using ProFTPD, a free, FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host suffers from multiple format string vulnerabilities, one involving the ‘ftpshut’ utility and the other in mod_sql's ‘SQLShowInfo’ directive. Exploitation of either requires involvement on the part of a site administrator and can lead to information disclosure, denial of service, and even a compromise of the affected system. See also: Solution: Upgrade to ProFTPD version 1.3.0rc2 or later. Risk Factor: Low
TCP21ftp1The remote ProFTPd server is as old or older than 1.2.10 It is possible to determine which user names are valid on the remote host based on timing analysis attack of the login procedure. An attacker may use this flaw to set up a list of valid usernames for a more efficient brute-force attack against the remote host. Solution: Upgrade to a newer version. Risk Factor: Low

So let me get this straight: the first problem requires the system administrator to be in on the exploit.

Um …

If the system administrator is in on the exploit, you have more serious problems! What? Are all these security scan companies on crack or something?

I found the second problem amusing since it doesn't like ProFTPD version 1.2.10 (or less) even though 1.2.10 is the latest stable release! See, I told you these security scan companies hate currently released software. So I suppose this means I need to upgrade to one of the later release candidates.

Anyway, the problems that were listed (and there were only five total) were sufficiently low risk that we passed the security scan.

Obligatory Picture

[The future's so bright, I gotta wear shades]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site:, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2024 by Sean Conner. All Rights Reserved.