| VID |
16010 |
| Severity |
20 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
The FTP server allows anonymous ftp login. FTP(file transfer protocol) is a protocol for delivering files between systems. FTP service is used for lots of data dispatch applications. Certain systems transfer to FTP server for up-loading or downloading for users. FTP server is very weak to search files without authentication (include password files) or execute commands to another part of that server. Anonymous FTP is helpful to anyone who connects for login. As potential trespasses and attacks are increasing, the access to anonymous FTP can be used for many misapplications. For example, anonymous FTP site can be used as "drop zone" - gathering of illegal files.
* References:
http://xforce.iss.net/xforce/xfdb/52 |
| Recommendation |
Don't allow access to anonymous FTP if it's not really necessary. Also, construct a system to make a log about every accessing and sending of FTP, confirm a log periodically to find out pattern of misapplications. Home directory of FTP server has to be unwritable, and impossible to access from system IDs(root, uucp, nobody, bin).
If it's possible, in the firewall, do filtering not to pass FTP service. |
| Related URL |
CVE-1999-0497 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
