Package: pyftpd
Version: 0.8.4.6
Severity: critical
Justification: root security hole
Tags: security
*** Please type your report below this line ***
File /etc/pyftpd/auth_db_config.py contains:
passwd = [('test', 'test', 'CY9rzUYh03PK3k6DJie09g=='),
('user', 'users', '7hHLsZBS5AsHqsDKBgwj7g=='),
('roxon', 'users', 'ItZ2pB7rPmzFV6hrtdnZ7A==')]
These accounts can be used to login to the FTP-server and read
arbitrary files and list directories. File perm_acl_config.py lists
user permissions.
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
(ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash
Versions of packages pyftpd depends on:
ii python 2.5.2-3 An interactive high-level
object-o ii python-central 0.6.8 register and
build utility for Pyt
Versions of packages pyftpd recommends:
ii python-tk 2.5.2-1 Tkinter - Writing Tk
applications
pyftpd suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
