Monday, 8 March 2010

This is just sad

So I was taking a poke at a friend's server, doing a preliminary sweep for them. I noticed that they were running filezilla 0.9.33 and so I did a quick google search for "filezilla 0.9.33 vuln". What I came up with scared me a little bit. It wasn't that I found some huge gaping vulnerability, but rather a level of ignorance from one of filezilla's forum admins that was simply astounding. Yuo can see the forum thread here , and find the CVE for the vulnerability being discussed here. The vulnerability that is being discussed is an information disclosure with the getcwd() function.

The site admin, botg, replies "What is FTP getcwd()? There's no such thing". Botg seems to think that this posting is about misuse of an ftp protocol command. He is then presented, by another user, with the CVE for this vulnerability. He then replies "Thank you, I know how to use Google. Doesn't change the fact that there's no such thing as FTP getcwd(), whatever that means". This is the statement, that more than anything else, blows me away.

In the scan results the original user posted it says
Details: The FTP daemon exhibits a descriptor leak in the getcwd (get current working directory) function.
Extra info: None.
Fix: Upgrade your libc C library to the current version.
And in botg's reply, he even includes the function brackets when referring to getcwd. Funny botg, that sure looks like a programming function call, now doesn't it? His snarky reply even sews the seeds of his own demise. "I know how to use google". Oh really? Let me help you out . As the first link describes the C function getcwd() I would say you seem to have some problems using google after all. I would also say, that you obviously have no understanding of how software vulnerabilities happen. If you think that vulnerabilities happen by some command the user can just type in and "hack the gibson", you need to stop watching TV mate. "It's not my job to know these things" you might say. No, but you are in the position of helping users, and this one came to you with a question. Rather than doing any decent amount of research, you opened your mouth and inserted your foot. Let's forget the whole Google bit, or the fact that it is immediately obvious that this is a C function call. I once again point you to the scan results the user posted:

Fix: Upgrade your libc C library to the current version.

Hrm, I wonder if that might provide a clue as to what's going on here? If this is the level of support a filezilla user can expect, I feel very sorry for them.

Update: I decided to register for their forums, so i could post some useful advice to this thread. I would take the high road, instead of just sitting back and being snarky myself. Imagine my surprise when my confirmation email comes in to activate my account, and my username and password are both on it in plaintext...uggggg. These people make me want to cry!

No comments:

Post a comment