| 1 |
I've been reading the monthly security bulletin from sans.org for |
| 2 |
several years. During that time I've noticed some recurring themes, |
| 3 |
including multiple appearances from Adobe products like Flash. |
| 4 |
|
| 5 |
Another recurring theme is ftp servers (of which there are dozens) |
| 6 |
like this month's report: |
| 7 |
|
| 8 |
Platform: Cross Platform |
| 9 |
Title: Wing FTP Server "ssh public key" Authentication Security Bypass |
| 10 |
Vulnerability |
| 11 |
Description: Wing FTP Server is a secure file server for Windows, Linux, |
| 12 |
Mac, FreeBSD and Solaris. Wing FTP Server is exposed to a security bypass |
| 13 |
issue that affects the SSH authentication mechanism. Versions prior to |
| 14 |
Wing FTP Server 3.8.8 are affected. |
| 15 |
Ref: http://www.securityfocus.com/bid/48335/info |
| 16 |
|
| 17 |
Mind you, this is the first time I've seen Wing mentioned, but over the |
| 18 |
years there have been dozens of other ftp servers cited for other flaws |
| 19 |
in security. |
| 20 |
|
| 21 |
My question: WTF uses these poorly written ftp servers? Why do they |
| 22 |
exist? Who asked for them? Who wrote the code, and why? |
| 23 |
|
| 24 |
My tentative guess: either evil programmers, or incompetent programmers. |
| 25 |
(I suspect the intersection of the two sets is very small.) |
| 26 |
|
| 27 |
Many years ago when I was still using M$ Windows I wrote my own hex |
| 28 |
editor in Visual Basic. I can't explain why I chose to do it, other |
| 29 |
than as an exercise to learn Visual Basic. (I haven't used it since.) |
| 30 |
|
| 31 |
I'm quite certain that my hex editor would flunk even the most basic |
| 32 |
security tests today because I wasn't programming with security in mind. |
| 33 |
(In other words, I was the rankest of amateurs.) |
| 34 |
|
| 35 |
I'm running out of indignation now, and going to bed, but I'd welcome |
| 36 |
other indignant comments :) |
Archives