Two months ago there was a security scan done against one of our customer's managed servers [1], and the report came back with a bazillion things they (the security scanning company) didn't like. So we spent the time securing the network path and building a new server from scratch, using the latest versions of Apache [2], ProFTPd [3], etc, built from tarballs [4] (the distribution was daring to use ancient, decrepid, months old versions of said software—how dare they!).
So it was earlier this week that a security scan (done by another company this time—the report is only a few pages long instead of the five hundred plus from the other company) and I just now saw the report.
Table: Emphasis added Protocol Port Program Risk Summary ------------------------------ TCP 21 ftp 1 The remote host [that's us] is using ProFTPD, a free, FTP (File Transfer Protocol) server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host suffers from multiple format string vulnerabilities, one involving the ‘ftpshut’ utility and the other in mod_sql's ‘SQLShowInfo’ directive. Exploitation of either ** requires involvement on the part of a site administrator** and can lead to information disclosure, denial of service, and even a compromise of the affected system. See also: http://www.proftpd.org/docs/RELEASE_NOTES-1.3.0rc2 [5] **Solution:** Upgrade to ProFTPD version 1.3.0rc2 or later. **Risk Factor:** Low TCP 21 ftp 1 The remote ProFTPd server is as old or older than 1.2.10 It is possible to determine which user names are valid on the remote host based on timing analysis attack of the login procedure. An attacker may use this flaw to set up a list of valid usernames for a more efficient brute-force attack against the remote host. **Solution:** Upgrade to a newer version. **Risk Factor:** Low
So let me get this straight: the first problem requires the system administrator to be in on the exploit.
Um …
If the system administrator is in on the exploit, you have more serious problems! What? Are all these security scan companies on crack or something?
I found the second problem amusing since it doesn't like ProFTPD version 1.2.10 (or less) even though 1.2.10 is the latest stable release! See, I told you these security scan companies hate currently released software. So I suppose this means I need to upgrade to one of the later release candidates.
Anyway, the problems that were listed (and there were only five total) were sufficiently low risk that we passed the security scan.