first and foremost know that i was not intending to flame the original
author of the suggestion, only the wu-ftpd team. it was a legitimate
question, an honest suggestion, but one i wholeheartedly disagree with. i
encourage any wu-ftpd user to ditch the code right now.
On Thu, 25 Jan 2001, Steven Pierce wrote:
> What make a better FTP software?
where possible i use the BSD-ftpd port to Linux, which sometimes can be
ported to other OS's. the code is originally built from OpenBSD's ftpd.
other good FTPds include pro-ftpd (which, beware, is a wu-ftpd) and ncftpd
(which has some funky licensing, so beware).
> Why is it better?
it's cleaner code, more properly written, with an emphasis on correctness
and security. in short, the OpenBSD philosophy, which has worked well.
> What about the code is so bad, I am not a programer so me looking at
> the code is not something I would completely understand.
the code is bad from the following standpoints:
- a poor use of shortcuts in some places (a common fault to be sure)
- common pitfalls (ie unformatted strings, unchecked buffers, etc) which
should have been fixed a long time ago
- poor style, making the integration of other peoples' work difficult (not
an uncommon fault either)
- lack of focus on security and correctness, instead focusing on
additional features (ie groups, quotas, etc)
take, for example, the recent string format problems. they were very
common, even OpenBSD had a bunch, but the joy of then is that it was
relatively easy to spot them and fix them. this was in the summer of 2000,
and only in january 2001 did some really easy fixes in this class get
incorporated into wu-ftpd (not even in the release version):
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/missing_format_strings.patch
this kind of response time is terrible, and no self-respecting coding team
with a profile as high as that of wu-ftpd should be taking so long to get
fixes out.
a good audit of their code by their team would turn up a good chunk of the
remaining problems and fix them in short time. however, the team has
failed to do this, despite repeated large problems in their code.
i submit this to you: take, for example, on their homepage
(http://www.wu-ftpd.org/) the following snippet:
"January 24, 2001 News about a new exploit for wu-ftpd is making the
rounds without much explanation of the exact problem. The tempfile race
condition can occur in the privatepw utility, not in the running daemon.
So there is no externally exploitable situation."
a situation like that should give them good reason to sit down and audit
the code. dig around, find the exploit if you have to, but first and
foremost sit down with some good coders and examine the code. find any
possible hole, fix it. simply stative "there is no externally exploitable
situation" without really digging around, or at least convincing the
reader that the team has dug around, is shear arrogance on their part, and
blatantly stupid of them, not to mention insulting to the users of the
software, who deserve much more respect from the authors of the code.
in the intervening time, avoid wu-ftpd like the plague. there's a good
reason why most Liunx distributions have stopped shipping it as their
default FTP daemon.
i hope this has been enough information for you. if nothing else, a
software's history should be enough for you to judge its quality. when
software has security problems that persist for years, through many, many
versions, it's an indication of a larger problem. in those cases i usually
dismiss the software and dissuade others from using it, as i'm doing now.
____________________________
jose nazario [EMAIL PROTECTED]
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
