Xref: utzoo alt.security:776 comp.protocols.tcp-ip:11598 alt.sys.sun:960
Path: utzoo!attcan!uunet!snorkelwacker!usc!zaphod.mps.ohio-state.edu!uwm.edu!uwvax!rang
From: rang@cs.wisc.edu (Anton Rang)
Newsgroups: alt.security,comp.protocols.tcp-ip,alt.sys.sun
Subject: tftp (was Re: anonymous ftp, and the dangers thereof)
Summary: tftp lets people grab /etc/passwd
Message-ID: <RANG.90Jun7082318@derby.cs.wisc.edu>
Date: 7 Jun 90 13:23:18 GMT
References: <1990Apr20.192233.4092@utzoo.uucp> <6721@blake.acs.washington.edu>
	<BT+2NO5xds13@ficc.uu.net> <PMY$TW?@b-tech.uucp> <3023@unisoft.UUCP>
Sender: news@spool.cs.wisc.edu
Organization: UW-Madison CS department
Lines: 19
In-reply-to: greywolf@unisoft.UUCP's message of 6 Jun 90 23:25:08 GMT

In article <3023@unisoft.UUCP> greywolf@unisoft.UUCP (The Grey Wolf) writes:
>To what extent does one disable tftp (or did the original user mean
>anonymous ftp)?

  At a minimum, you should restrict either which hosts can access tftp
on a given machine, or which files tftp can access.  The problem is
that tftp, as distributed, lets anyone access any publicly-readable
file, and lots of important files (like /etc/passwd) are publicly
readable.  (In other words, having tftp enabled allows dictionary
attacks to be tried without needing an account on the remote machine.)

  This is my understanding of the matter, at least; feel free to
correct any misapprehensions.

		Anton
   
+---------------------------+------------------+-------------+
| Anton Rang (grad student) | rang@cs.wisc.edu | UW--Madison |
+---------------------------+------------------+-------------+