Category
Security
Release Phase
Resolved
ProductSolaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Bug Id
4621760
Date of Resolved Release27-FEB-2003
Impact
When a user invokes the "ftp -d" command which enables debugging, the ftp password string is displayed on screen and may be observed by an onlooking user.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
-
Solaris 2.6 without patch 106522-05
-
Solaris 7 without patch 107454-06
-
Solaris 8 without patch 108899-04
x86 Platform
-
Solaris 2.6 without patch 106523-05
-
Solaris 7 without patch 107455-06
-
Solaris 8 without patch 108900-04
Note: Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.
Solaris 9 is not impacted by this issue.
Symptoms
The password entered when using "ftp -d" will appear in the debug output as clear text as shown below:
% ftp -d localhost
Connected to localhost.
220 hostname FTP server (SunOS 5.8) ready.
Name (localhost:usera): myusername
---> USER myusername
331 Password required for myusername.
Password:
---> PASS my_secret_passwd
230 User myusername logged in.
Workaround
To work around the described issue, avoid using ftp(1M) in debug mode (-d option).
Resolution
This issue is addressed in the following releases:
SPARC Platform
-
Solaris 2.6 with patch 106522-05 or later
-
Solaris 7 with patch 107454-06 or later
-
Solaris 8 with patch 108899-04 or later
x86 Platform
-
Solaris 2.6 with patch 106523-05 or later
-
Solaris 7 with patch 107455-06 or later
-
Solaris 8 with patch 108900-04 or later
Modification History
References
106522-05
107454-06
108899-04
106523-05
107455-06
108900-04
AttachmentsThis solution has no attachment