Bug 10111 - Ftp server default account and password, there are security risks
Summary: Ftp server default account and password, there are security risks
Status: RESOLVED INVALID
Alias: None
Product: Busybox
Classification: Unclassified
Component: Networking (show other bugs)
Version: 1.24.x
Hardware: All Linux
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-20 12:37 UTC by wei shu
Modified: 2017-07-20 13:40 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description wei shu 2017-07-20 12:37:23 UTC 
int ftpgetput_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
int ftpgetput_main(int argc UNUSED_PARAM, char **argv)
{
	unsigned opt;
	const char *port = "ftp";
	/* socket to ftp server */
    
#if ENABLE_FTPPUT && !ENABLE_FTPGET
# define ftp_action ftp_send
#elif ENABLE_FTPGET && !ENABLE_FTPPUT
# define ftp_action ftp_receive
#else
	int (*ftp_action)(const char *, char *) = ftp_send;

	/* Check to see if the command is ftpget or ftput */
	if (applet_name[3] == 'g') {
		ftp_action = ftp_receive;
	}
#endif

    printf("Warning: ftp is not a secure protocol, and it is recommended to use sftp. \n");

	INIT_G();
	/* Set default values */
	user = "anonymous";
	password = "busybox@";
......
}

The above code specifies the default account and password for the ftp server,if the user ftp server account and password are same with the default server account and password,The device file can be transferred without writing the account and password,there are security risks.
Comment 1 Denys Vlasenko 2017-07-20 13:40:21 UTC 
(In reply to wei shu from comment #0)
> The above code specifies the default account and password for the ftp server,

No it does not, this code sets up the default login and password for FTP *client*.