Opened 16 months ago
Closed 16 months ago
#66784 closed defect (invalid)
Able to login in FTP server anonymously
| Reported by: | Ghost788769 | Owned by: | admin@… |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | server/hosting | Version: | |
| Keywords: | Cc: | ||
| Port: |
Description
Steps Reproduce:
- Run command: ftp rsync-origin.macports.org
- Enter username: anonymous & password: anonymous
- You can logged with ftp server successfully.
- You have full access to files on that server.
- You can download,upload,edit or modify files on server.
PoC video: https://drive.google.com/file/d/1RjZtqS45kPtbT6HOD42GQEuLmNvqcEnY/view?usp=sharing
Impact: Able to sign in with on ftp server remotely.
Thanks,
Can I bug bounty or hall of fame for reporting this issue? I don't know where to report this issue to the Apple or Macports.
Change History (5)
comment:1 Changed 16 months ago by ryandesign (Ryan Carsten Schmidt)
| Component: | ports → server/hosting |
|---|---|
| Owner: | set to admin@… |
comment:2 Changed 16 months ago by Ghost788769
What did I get if I prove the impact over ftp server?
comment:4 Changed 16 months ago by ryandesign (Ryan Carsten Schmidt)
As I said it's not our server, so if you have discovered a vulnerability all that I will do is report it to the administrators of that server. You can report the problem to them directly if you prefer. Their contact information is on their web site.
comment:5 Changed 16 months ago by neverpanic (Clemens Lang)
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
$ ftp rsync-origin.macports.org Connected to ftp.fau.de. 220 Welcome to ftp.fau.de - FTP-Server der Friedrich-Alexander-Universitaet Erlangen-Nuernberg Name (rsync-origin.macports.org:********): anonymous 331 Anonymous login ok, send your complete email address as your password Password: 230 Anonymous access granted, restrictions apply Remote system type is UNIX. Using binary mode to transfer files. ftp> cd macports/distfiles 250 CWD command successful ftp> put test local: test remote: test 200 EPRT command successful 550 test: Operation not permitted
Since this is a public mirror of various open source software and the same files are also available at https://ftp.fau.de/, this is not a security issue. There is no write access.
MacPorts does not administer that server; it is administered by a third party.
The video shows you are able to see files on the server. That is intended. It is a public ftp and rsync server. As such, I am inclined to close this bug as invalid.
You claim to be able to upload, edit, or modify files on the server. The video doesn't show that. I tried to upload and delete files within the macports subdirectory on that server after logging in with anonymous ftp and it said "Operation not permitted". If you can provide a set of steps that demonstrate this ability please let us know.
MacPorts does not have a bug bounty program or a bug reporting hall of fame.