Hola!
Today I saw the links of the SECmana in Security by default, has been discovered that the main FTP server proftpd had been committed and that the code for version 1.3.3 contained a backdoor that allows identified users gain root access.
What fun! Vulnerability in proftpd makes protfpd Version downloaded last week contained another ... Inception reminds me !
But the question that comes to mind is: and by the way, have fixed the vulnerability that has made it possible to modify the source code files hosted on the main FTP server? Reading the
announcement of the discovery on the web project itself, that we realize that the vulnerability was already fixed, but had not patched ... Olé!
In any case, it could have avoided this situation if, as have already done, the summary of the original file had been posted on the website of the project and not only on the FTP server.
So, you know, if you downloaded proftpd between November 28 and December 2, almost certain that you are winning, because the server was compromised rsync server distribution of all ftp mirror.
And remember that whenever you download a file, you should check the summary.
Greetings!
0 comments:
Post a Comment