Note: This is an archival copy of Security Sun Alert 200174 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000128.1.
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Date of Resolved Release
When a user invokes the "ftp -d" command which enables debugging, the ftp password string is displayed on screen and may be observed by an onlooking user.
This issue can occur in the following releases:
Note: Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.
Solaris 9 is not impacted by this issue.
The password entered when using "ftp -d" will appear in the debug output as clear text as shown below:
% ftp -d localhost Connected to localhost. 220 hostname FTP server (SunOS 5.8) ready. Name (localhost:usera): myusername ---> USER myusername 331 Password required for myusername. Password: ---> PASS my_secret_passwd 230 User myusername logged in.
To work around the described issue, avoid using ftp(1M) in debug mode (-d option).
This issue is addressed in the following releases:
This solution has no attachment