Comment to task #5488 in proftpd: Login Timing Differences Disclose
Valid User Account Names to Remote Users
Flyspray - The bug killer!
btsadmin at pld-linux.org
Mon Nov 8 21:56:49 CET 2004
Project: PLD 2.x (Ac)
Package: proftpd
Summary: Login Timing Differences Disclose Valid User Account Names
to Remote Users
Commented by: Krzysztof Królikowski (krolik)
Comment: take a look at this sample remote exploit.
http://security.lss.hr/PoC/index.php?p=adv&ID=LSS-2004-10-02
this bug allows to determine which user acconts are special, existent
or non existent. After tests i realize, that this average timings
describing every type of accounts are verry simmilar, so it's hard to
guess for example which account exists or not.
For more further see:
http://bugs.pld-linux.org/index.php?do=details&id=5488&area=comments#tabs}
------------------------------------------------------------------------
THIS IS AN AUTOMATICALLY GENERATED MESSAGE, DO NOT REPLY
More information about the pld-bugs
mailing list