5233674 2000-06-28 00:39 /64 rader/ Postmaster Mottagare: Bugtraq (import) <11461> Ärende: Concerning the LDAP Enabled Netscape FTP Server ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com X-Sender: ah@mail MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.GSO.4.21.0006270916182.23667@mail> Message-ID: <Pine.GSO.4.21.0006270916180.23667-100000@mail> Date: Tue, 27 Jun 2000 09:21:36 -0700 Reply-To: Alfred Huger <ah@SECURITYFOCUS.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Alfred Huger <ah@SECURITYFOCUS.COM> To: BUGTRAQ@SECURITYFOCUS.COM Over the last few days a great number of people have mailed us in regards to the "Netscape Professional Services FTP Server Vulnerability" (http://www.securityfocus.com/bid/1375) discovered by Michal Zalewski <lcamtuf@tpi.pl> and posted to the Bugtraq mailing list on Wed, 21 Jun 2000. The following mail which we recieved should shed some light on the subject. Thanks to both Netscape and Kurt Seifried for digging into this. Alfred Huger VP of Engineering SecurityFocus.com ---------- Forwarded message ---------- Date: Tue, 27 Jun 2000 16:51:00 +0200 From: Uwe Springmann <uspring@netscape.com> To: Kurt Seifried <seifried@securityportal.com> Cc: vuldb@securityfocus.com, lord@netscape.com Subject: Re: Netscape ftp Server (fwd) Kurt, I do know your name as I am routinely reading your weekly postings. Good work! Concerning Netscape FTP-Server: The fact is, there are versions of this software which have the posted problems. This LDAP-aware ftp server never was an official Netscape product but something our Professional Service people used to supply our Enterprise Web Server with upload functionality (especially with big ISP's and virtual domain hosting). Every installation of this software required making adapations and changing the code in several ways. At present we don't know which version at which site might be vulnerable. We do know that we have installations in Germany which are not vulnerable (the mail below refers to these installations). Currently we are working to do a overhaul of this piece of software to give customers the possibility to use an LDAP-aware FTP-server, and to get rid of these security problems. This is a high priority project and I'll let you know when it is finished. The BUGTRAQ people asked for a contact within Netscape for general Netscape / iPlanet products security issues. Bob Lord (now Director for Security with the Mozilla Project) will serve this role and could route to the appropriate people within our company. I will keep you posted. Uwe (5233674) ------------------------------------------(Ombruten) 5239463 2000-06-29 22:52 /73 rader/ Postmaster Mottagare: Bugtraq (import) <11521> Ärende: (forw) Re: Netscape ftp Server (fwd) ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <20000629105953.L23338@securityfocus.com> Date: Thu, 29 Jun 2000 10:59:53 -0700 Reply-To: aleph1@SECURITYFOCUS.COM Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Elias Levy <aleph1@SECURITYFOCUS.COM> To: BUGTRAQ@SECURITYFOCUS.COM ----- Forwarded message from Uwe Springmann <uspring@netscape.com> ----- Message-ID: <395B8BDA.F4C200E8@netscape.com> Date: Thu, 29 Jun 2000 19:48:10 +0200 From: uspring@netscape.com (Uwe Springmann) Organization: iPlanet E-Commerce Solutions X-Mailer: Mozilla 4.7 [en] (WinNT; I) To: Kurt Seifried <seifried@securityportal.com> CC: aleph1@securityfocus.com Subject: Re: Netscape ftp Server (fwd) The problem with the ftp-server has been fixed. A bugfix is available from us now, a new version will be issued within some weeks. Customers who are interested may contact me. Uwe Kurt Seifried wrote: > > ---------- Forwarded message ---------- > > Date: Fri, 23 Jun 2000 17:19:55 +0200 > > From: Uwe Springmann <uspring@netscape.com> > > To: vuldb@securityfocus.com > > Subject: Netscape ftp Server > > > > Re. http://www.securityfocus.com/vdb/bottom.html?vid=1375: > > > > We tested the documented issues today on two sites and couldn't > > verify these problems. At these sites there are no security issues > > with our ftp server. > > > > We guess the reported problems are due to a special misconfigured > > environment and/or a non-authoritative codebase. > > > > An official statement addressing the reported issues will follow next > > week. > > Could you please forward that to me as well, I do some of the weekly > security digests and I included that netscape "problem". If it is indeed a > non problem I'd like to let people know. Thanks in advance. > > > Yours sincerely, > > > > Dr. Uwe Springmann > > Kurt Seifried > SecurityPortal, your focal point for security on the net > http://www.securityportal.com/ Content-Description: Card for Uwe Springmann ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum (5239463) ------------------------------------------