FTP holes give attackers an easy way in

File server holes could give vandals a way to deface Web sites
Written by Robert Lemos, Contributor on

A bug in popular software used to transfer files between computers over the Internet could leave a door open to online vandals and network intruders, data protection specialist PGP Security said on Monday.

"In addition to the threat of data loss and attacks against private networks... these vulnerabilities could offer an easy avenue of approach for an attacker intent on defacing Web sites," said Jim Magdych, manager of PGP Security's vulnerability response team.

The vulnerability occurs in a function that allows people accessing a file server to search for particular words, even when they don't know the complete file name. When attackers put in a specially crafted search term, they can cause the computer to execute malicious code, said PGP Security.

Along with HTML -- the lingua franca of the Web -- and email, file transfer protocol, or FTP, is the most common way of moving data across the Web.

According to PGP Security, the flawed FTP server software is part of the standard operating system package from Sun Microsystems, Hewlett-Packard and Silicon Graphics. The FTP software packaged with NetBSD and FreeBSD, two open-source variants of Unix, are also affected, Magdych said.

"FTP has been around a long time, so they use the same root code base," Magdych said.

FTP software has been a common chink in the digital armor that many companies have erected around their networks. Flaws in the free file server created by Washington University, known as wu-FTP, led to a large number of last year's defacements.

While wu-FTP contains the vulnerable function -- known as "glob()" -- it works in a slightly different way with Linux systems, leaving most of those systems protected from the exploit.

The subsidiary of Network Associates announced the most recent flaw on Monday. The company said it had notified software and computer makers that incorporate the vulnerable software in their systems more than two weeks ago and also notified the Computer Emergency Response Team (CERT) at Carnegie Mellon University.

"Ordinarily we might be inclined to hold off a little longer, but we are concerned that information about [the vulnerability] may be starting to circulate," Magdych said.

As of Monday afternoon, however, neither Network Associates nor CERT had an advisory on its Web site.

Systems administrators looking to protect their systems can do so by attacking the root problem, Magdych said.

"To protect yourselves, a quick first step is to make sure that nothing is writable by anonymous FTP users or that those users are not allowed to make a directory," he said.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read what others have said.

Editorial standards