Auto FTP.pl Advisory

Auto_FTP.pl Advisory

Binyamin Greenberg – bgreenberg@nightfallsecurity.com
Nightfall Security Solutions, LLC – We break stuff, before they do.

Auto_FTP.pl is a perl script that utilizes a shared directory, anytime something new is put into the shared directory it transfers it to the specified ftp site. Auto_FTP is available via freshmeat.net by clicking here.

Auto_FTP uses a configuration file that can be found in /etc/auto_ftp.conf, which contains the username, password and IP address of the remote ftp site in plain text. Thereby allowing anyone with read access to /etc to view the login and password to the ftp site.

Top Read : Get All The Latest Nordvpn Promotions to save 70% on This Top VPN Service

Another problem is that the shared directory by default is /tmp/ftp_tmp which can be viewed by any users on the machine. If you are transferring sensitive material with Auto_FTP it won’t be sensitive for much longer.

Latest deals for Norton And Kaspersky Anti Virus are listed on our homepage 

Auto_FTP does not check to see what user is sending to the shared directory. Any user on the local system could copy a file to /tmp/ftp_tmp and have it transferred to the ftp.

AutoFTP in Summary
Stores login and password for remote ftp in plaintext configuration file
Uses a shared directory to automatically transfer files that by default can be used and viewed by anyone
Auto_FTP does not check to see what user sent a specific file to the shared directory, therefore allowing anyone to copy a file to the shared directory and have it transferred to the ftp. (The default shared directory is /tmp/ftp_tmp).

In conclusion this program while it may be a good idea does not concern itself with security precautions and is therefore not reccomended when the contents of the data is important. Reminder, plaintext passwords in a file that can be viewed by anyone is never a good idea.

admin

leave a comment

Create Account



Log In Your Account