Note: This is an archival copy of Security Sun Alert 200174 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000128.1.
Article ID : 1000128.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-02-23
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

In Debug Mode, the ftp(1) Command Displays the Password on Screen in Clear Text



Category
Security

Release Phase
Resolved

Product
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4621760

Date of Resolved Release
27-FEB-2003

Impact

When a user invokes the "ftp -d" command which enables debugging, the ftp password string is displayed on screen and may be observed by an onlooking user.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.6 without patch 106522-05
  • Solaris 7 without patch 107454-06
  • Solaris 8 without patch 108899-04

x86 Platform

  • Solaris 2.6 without patch 106523-05
  • Solaris 7 without patch 107455-06
  • Solaris 8 without patch 108900-04

Note: Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.

Solaris 9 is not impacted by this issue.


Symptoms

The password entered when using "ftp -d" will appear in the debug output as clear text as shown below:

	% ftp -d localhost
	Connected to localhost.
	220 hostname FTP server (SunOS 5.8) ready.
	Name (localhost:usera): myusername
	---> USER myusername
	331 Password required for myusername.
	Password:
	---> PASS my_secret_passwd
	230 User myusername logged in.
	

Workaround

To work around the described issue, avoid using ftp(1M) in debug mode (-d option).


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 2.6 with patch 106522-05 or later
  • Solaris 7 with patch 107454-06 or later
  • Solaris 8 with patch 108899-04 or later

x86 Platform

  • Solaris 2.6 with patch 106523-05 or later
  • Solaris 7 with patch 107455-06 or later
  • Solaris 8 with patch 108900-04 or later


Modification History

References

106522-05
107454-06
108899-04
106523-05
107455-06
108900-04




Attachments
This solution has no attachment