Path: utzoo!attcan!uunet!cs.utexas.edu!hellgate.utah.edu!mailrus!iuvax!ndcheg!jeff
From: jeff@ndcheg.cheg.nd.edu (Jeffrey C. Kantor)
Newsgroups: comp.sys.mac
Subject: Re: NCSA Telnet release announcement
Summary: This is a problem!
Message-ID: <745@ndcheg.cheg.nd.edu>
Date: 3 Sep 89 14:41:38 GMT
References: <600048@zaphod> <15372@dartvax.Dartmouth.EDU>
Organization: Dep't of Chemical Eng., Univ. of Notre Dame
Lines: 30

In article <15372@dartvax.Dartmouth.EDU>, matthews@eleazar.dartmouth.edu (Jim Matthews) writes:
> Does Telnet 2.3 still ship with the FTP server enabled and no password
> security?  I was quite surprised to learn that running version 2.2 made
> it possible for anyone with an FTP client to read the files on my hard
> disk and plant viruses in my system folder.  In fact, with enough
> naive Telnet users around you could imagine an AppleTalk "worm" program
> that ftp'd itself from machine to machine.
> 
> Is security in version 2.3 any better?

Apparently not.  After having installed a 2.3  a few weeks ago, I was busy
working on our local Unix host to find someone ftp'ing to the same IP number
that I was using.  I recogonized the user as a friendly student so no
alarm on my part, but I thought there may have been some sort of IP number
mixup on our local net.

Imagine my surprise when I found out he had full (r/w) ftp access to my Mac!

This is definitely a serious security flaw.  The manual doesn't really address
the problem in an explicit fashion. Keep in mind, of course, that most users
do not even read the manual.

At a minimum, ftp should not be enabled as distributed.  And when the user
does enable ftp, a dialog box should warn the user that ftp leaves your
mac open to the entire internet.
-- 
Jeff Kantor
                                       US Mail:  Dept. of Chemical Engineering
internet: jeff@ndcheg.cheg.nd.edu                University of Notre Dame
    uucp: iuvax!ndmath!ndcheg!jeff               Notre Dame, IN   46556  USA