Page 1 of 2 12 LastLast
Results 1 to 25 of 30
  1. #1

    * HyperVM is now officially Open Source :)

    Hello,

    On last Sunday, HyperVM and Kloxo where announced as Open Source (Licensed under AGPL-3.0)

    The official announcement and information to access the SVN repos can be found at:

    forum.lxcenter.org/index.php?t=msg&th=13296&start=0&

  2. #2
    Join Date
    Mar 2007
    Location
    Phoenix, AZ, United State
    Posts
    1,525
    Did anyone catch the url for the svn repo?
    drew@slicie.com - Vertical Scaling Servers
    30 Minute Backups - Pay for what you use

  3. #3
    Quote Originally Posted by HostSentry View Post
    Did anyone catch the url for the svn repo?
    It's there, scroll down the topic.

    On first message is the announcement, the svn repo is in the 3rd message.

    I can't post links on this board, i don't have 5 messages yet (shame on me lol)

  4. #4
    Join Date
    Mar 2007
    Location
    Phoenix, AZ, United State
    Posts
    1,525
    Not sure how I missed that, thanks
    drew@slicie.com - Vertical Scaling Servers
    30 Minute Backups - Pay for what you use

  5. #5
    Join Date
    Feb 2008
    Location
    Houston, Texas, USA
    Posts
    3,262
    That's great news! But it'll take a few bumps before things stabilize later on this year.

    Regards
    Joe
    UNIXy - Fully Managed Servers and Clusters - Established in 2006
    Server Management - Unlimited Servers. Unlimited Requests. One Plan!
    cPanel Varnish Plugin -- Seamless SSL Caching (Let's Encrypt, AutoSSL, etc)
    Slow Site or Server? Unable to handle traffic? Same day performance fix: joe@unixy

  6. #6
    Join Date
    Mar 2009
    Location
    /usr/bin/perl
    Posts
    971
    That project will need new management if it is ever going to recover.

    The user NetTuningGroup, who I assume runs the show over there, seems . . . less than knowledgeable and professional.

    I wonder if it isn't too little, too late with all of the new CP's that have sprung up.

  7. #7
    Well, good news. Kloxo in a good web hosting panel. This is good for the small business

  8. #8
    Join Date
    Dec 2007
    Posts
    612
    Now that the source is out there, what do you guys think of it?

  9. #9
    Quote Originally Posted by jarrodsl View Post
    That project will need new management if it is ever going to recover.

    The user NetTuningGroup, who I assume runs the show over there, seems . . . less than knowledgeable and professional.

    I wonder if it isn't too little, too late with all of the new CP's that have sprung up.
    I also believe that they took way too long to take an action, during all the waiting, looks like hypervm lost most of their customers. Sometimes it seens that they waited until the project turned into an "abandonware" to take an action....
    There's almost no one posting on their forums now, most of the users are gone, but with hypervm becoming opensource there's a new hope.

    Even with all the new panels on the market, I believe that hypervm still have a good chance to be on top again...

    If you stop and think about it, HyperVM is an enterprise product mature and fully featured, "most" of the panels out there can't do 1/5 of the things that hypervm can do!

    I may be wrong about this:
    One other thing that you must be aware is: Nobody knows for sure if the vaserv problem was a zero day exploit or a bad password policy (passwords stored on gmail?)
    Well, if someone have access to your admin password on your systems, you are in great danger
    I do believe that HyperVM is a great product, and for being opensource I also believe that soon it will take it's place in the market.

    In the worst case scenario, if the administration of the consortium lxcenter fails to administer the source code, you will notice that the real programmers will fork HyperVM and you will probably see an "hypervm-ng" rising. But until they fail, I do believe that they deserve a second chance.

    As far as i could know, NetTuningGroup (or Danny), invested allot of time and effort to make this happen.

    Just My 2 Cents...

  10. #10
    Quote Originally Posted by seedreactor View Post
    Well, good news. Kloxo in a good web hosting panel. This is good for the small business
    You shouldn't use Kloxo at this moment, the security bugs still there. But well, now the source is out and I do believe that in short time those will be addressed.

  11. #11
    Join Date
    Aug 2007
    Posts
    6,884
    Its a good news. We can hope in the recent future we can see the bug eliminated HyperVM.
    iHubNet Ltd - Premium Hosting Solutions 4 ALL
    Solid Support Solid Equipment Solid Network
    Shared Hosting / Reseller Hosting / Managed Server
    Matt A.

  12. #12
    Quote Originally Posted by Matt - Kerplunc View Post
    Now that the source is out there, what do you guys think of it?
    Although I don't know what hypervm's coding styles are just by looking at it it seems like a mess they have pascalcase, camelcase and underscore functions and even some weird hybrid of underscore functions with camel case e.g get_blahThing.

  13. #13
    Join Date
    Apr 2000
    Location
    Nevada, US
    Posts
    5,550
    Quote Originally Posted by nwmcsween View Post
    Although I don't know what hypervm's coding styles are just by looking at it it seems like a mess they have pascalcase, camelcase and underscore functions and even some weird hybrid of underscore functions with camel case e.g get_blahThing.

    The source code looks very sloppy indeed.
    .
    .
    SmartHost™ - Intelligent Hosting! - Multiple Locations - US/EU! - Ultra-Fast NVME SSD VPS!
    http://www.smarthost.net - sales@smarthost.net - Resale/Affiliate Programs
    Cloud Hosting - VPS Hosting - Dedicated Servers - Colocation - Flux Capacitors

  14. #14
    Join Date
    Sep 2008
    Location
    Dallas, TX
    Posts
    4,568
    Quote Originally Posted by brooklynite View Post
    I have heard hypervm is good.
    Howdy Brooklyn,

    Hypervm is good, or imo it is. There was the whole security flaw back in June, but nevertheless the issues are fixed. The owner did kill himself sadly, so it's good to see it go opensource.
    Jacob Wall

  15. #15
    Join Date
    Sep 2009
    Location
    Australia
    Posts
    39
    Ecckk, their forum is currently down. Hope this is not a sign!

  16. #16
    Join Date
    Jan 2004
    Posts
    1,042
    While their feature set is quite robust, the software is very poorly coded and its not worth the risk at this point to rest a companies reputation/clients data on it. I also really have no faith in how the new project has been taken forward and its leadership.

  17. #17
    I must admit its about time it went OS, but, the biggest problem I saw and hence didn't return is the inability for the consortium to make and decision and do it...

    The product feature set is very good as per MACscr, the leadership isnt from a "moving forward" pov.

    Just my 2 cents
    NetEarth One
    ICANN Accredited Registrar, https://reseller.netearthone.com
    Full UK support, 7 days a week 365 days a year!

  18. #18
    Join Date
    Aug 2004
    Location
    Shanghai
    Posts
    1,475
    Quote Originally Posted by harris404 View Post
    If you stop and think about it, HyperVM is an enterprise product mature and fully featured, "most" of the panels out there can't do 1/5 of the things that hypervm can do!
    How's HyperVM compared to our control panel? What's the features that we don't have?

    I've just downloaded the svn of HyperVM, and got immediately stunned by what I could read in the LICENSE file on top of the sources:

    PHP Code:
    You Agree to
    You will not distribute any informationsource code or opinions without the approval from the board 
    What the hell is this? Is the product really open source? This is a total violation of the license it is claiming to use. For me, reading this, the product is still not a free software...

    Thomas
    GPLHost:>_ open source hosting worldwide (I'm founder, CEO & official Debian Developer)
    Servers & our leading control panel and our Xen VPS hosting, which are already included in Debian and Ubuntu
    Available in: Kuala Lumpur, Singapore, Sydney, Seattle, Atlanta, Paris, London, Barcelona, Zurich, Israel

  19. #19
    Join Date
    Aug 2004
    Location
    Shanghai
    Posts
    1,475
    Other things after I downloaded, that I could see...

    I can see horrible stuff in this package, that I didn't even think was even possible for a Unix project. It seems that HyperVM is packaged using ZIP FILES!!! Yes, you are reading well. That's unbelievable for anyone with the minimum knowledge in Unix. A zip file, to what I know, doesn't have Unix rights in it. It means that there's absolutely zero Unix right management in the files of the panel.

    I downloaded the files using SVN, but there's some CVS folders. WHY?

    HyperVM seems to embed some libraries. I could see:

    fckeditor (a version from 2007 it seems...)
    extjs 1.1 (when the 3.0.0 is out !!!)
    yui 2.2.2 (when Lenny has 2.5, and 2.7 at least is out !!!)
    DOMcollapse (3.0 from 06.12.2005)
    rsnapshot (from 2008/02/19)
    vncviewer
    sshterm-applet
    ...

    The list goes and, and on, and on. At this time I stop my investigations.

    Embedding libraries in a project is just *plain bad*, and forbidden by most distributions (at least in Debian), because that would be a security maintenance nightmare to maintain (X number of package to maintain instead of 1, plus all the duplication of files, difference of release number leading to patches that wouldn't apply, etc.). Embedding OUTDATED libraries is even worth, and god knows what security issue they have. That extjs is literally YEARS old.

    I'm not even talking about the fact that nowhere, I could see a copyright file talking about these embedded libraries, which is normally the way to go.

    Also, that makes me think that the original author of HyperVM didn't mention these libs, when it was his DUTY to make the source code of them available.

    Another funny thing. I did:

    PHP Code:
    grep --color --\(c\) * 
    and then I was even more stunned! Guess what you find when you do that? "Copyright (C) 2000-2006 SWsoft. All rights reserved.". And LOADS of them. In fact, ALL SCRIPTS FOR SETTING-UP NETWORK are taken from from SWSoft (they are released in GPL)!!!

    Do you guys still believe that HyperVM is usable after reading all these? I didn't even need to dive into the code to say it's not!!!

    Thomas
    GPLHost:>_ open source hosting worldwide (I'm founder, CEO & official Debian Developer)
    Servers & our leading control panel and our Xen VPS hosting, which are already included in Debian and Ubuntu
    Available in: Kuala Lumpur, Singapore, Sydney, Seattle, Atlanta, Paris, London, Barcelona, Zurich, Israel

  20. #20
    Join Date
    Oct 2009
    Posts
    590
    Quote Originally Posted by gplhost View Post
    Other things after I downloaded, that I could see...

    I can see horrible stuff in this package, that I didn't even think was even possible for a Unix project. It seems that HyperVM is packaged using ZIP FILES!!! Yes, you are reading well. That's unbelievable for anyone with the minimum knowledge in Unix. A zip file, to what I know, doesn't have Unix rights in it. It means that there's absolutely zero Unix right management in the files of the panel.

    I downloaded the files using SVN, but there's some CVS folders. WHY?

    HyperVM seems to embed some libraries. I could see:

    fckeditor (a version from 2007 it seems...)
    extjs 1.1 (when the 3.0.0 is out !!!)
    yui 2.2.2 (when Lenny has 2.5, and 2.7 at least is out !!!)
    DOMcollapse (3.0 from 06.12.2005)
    rsnapshot (from 2008/02/19)
    vncviewer
    sshterm-applet
    ...

    The list goes and, and on, and on. At this time I stop my investigations.

    Embedding libraries in a project is just *plain bad*, and forbidden by most distributions (at least in Debian), because that would be a security maintenance nightmare to maintain (X number of package to maintain instead of 1, plus all the duplication of files, difference of release number leading to patches that wouldn't apply, etc.). Embedding OUTDATED libraries is even worth, and god knows what security issue they have. That extjs is literally YEARS old.

    I'm not even talking about the fact that nowhere, I could see a copyright file talking about these embedded libraries, which is normally the way to go.

    Also, that makes me think that the original author of HyperVM didn't mention these libs, when it was his DUTY to make the source code of them available.

    Another funny thing. I did:

    PHP Code:
    grep --color --\(c\) * 
    and then I was even more stunned! Guess what you find when you do that? "Copyright (C) 2000-2006 SWsoft. All rights reserved.". And LOADS of them. In fact, ALL SCRIPTS FOR SETTING-UP NETWORK are taken from from SWSoft (they are released in GPL)!!!

    Do you guys still believe that HyperVM is usable after reading all these? I didn't even need to dive into the code to say it's not!!!

    Thomas
    I'm no coder but some of your 'logic' doesn't make sense to me. First of all, most of the things you mention are no secret. Of course there is swsoft code in there. HyperVM is quite intelligently designed to keep things like OpenVZ very much the way OpenVZ was intended to be. SSH-Term, well that is certainly no revelation. Run console in Hypervm and click on "About" and you see it is SSH-Term. Google it and you will find thousands of sites and all sorts of products using it. Install Hypervm and go to /usr/local/lxlabs/hypervm/httpdocs/thirdparty. There are the thirdparty apps you mentioned. So this is suddenly news to you?????

    Speaking as a user, HyperVM is actually quite a brilliant piece of work for one guy considering everything it does and does quite well I might add. He could have used some help cleaning up the code and keeping up with maintaining it but for one guy it's quite amazing what he did. Not many people or even a team of people could have done all that half as good.

    As far as the whole security thing. I looked into it further and although Kloxo may have some lingering problems HyperVM is not a security problem and HyperVM is the important one since it controls the Nodes. Less so now but never was a huge security threat. That incident with the one company turned out to be unrelated to HyperVM/Kloxo. They got a hold of the guys Master Server root password. They even posted online exactly what they did to prove it. Does not matter what software you are running if your not using keys and someone has your root password.
    Last edited by UnfinishedSentenc; 11-14-2009 at 02:49 AM.

  21. #21
    Join Date
    Aug 2004
    Location
    Shanghai
    Posts
    1,475
    Quote Originally Posted by mustardman View Post
    I'm no coder but some of your 'logic' doesn't make sense to me.
    What exactly is not logic in what I wrote? Saying that EMBEDDING some OUTDATED VERSIONS of many things is a horrible way of doing things is quite logic no? What don't you understand here? You don't need to be a programmer to understand that having libraries separated from the security updates of the operating system AND not doing any update of the, is quite a bad practice, do you?

    Quote Originally Posted by mustardman View Post
    HyperVM is not a security problem
    It quite is a security problem. What I just wrote above doesn't even consider the source code, and there's issues. Others had a look, there was issues they found too, especially in the general way HyperVM is written. Moreover, the people that took over the maintenance didn't seem to even understand what a symlink attack or a race condition is. They don't seem to have the necessary level to fix, and I saw them adding even more issues while trying to fix.

    Quote Originally Posted by mustardman View Post
    That incident with the one company turned out to be unrelated to HyperVM/Kloxo. They got a hold of the guys Master Server root password. They even posted online exactly what they did to prove it. Does not matter what software you are running if your not using keys and someone has your root password.
    Who cares about that company's issue? That's not what we are talking about, we are talking about the multiple vulnerabilities and issues with the product itself, without considering anything else.

    You wrote yourself that you are not a programmer and can't be the judge, so why are you insisting that HyperVM is ok, when everyone that had a look at the source code think it's not?

    Thomas
    GPLHost:>_ open source hosting worldwide (I'm founder, CEO & official Debian Developer)
    Servers & our leading control panel and our Xen VPS hosting, which are already included in Debian and Ubuntu
    Available in: Kuala Lumpur, Singapore, Sydney, Seattle, Atlanta, Paris, London, Barcelona, Zurich, Israel

  22. #22
    Join Date
    Oct 2009
    Posts
    590
    Quote Originally Posted by gplhost View Post
    What exactly is not logic in what I wrote? Saying that EMBEDDING some OUTDATED VERSIONS of many things is a horrible way of doing things is quite logic no? What don't you understand here? You don't need to be a programmer to understand that having libraries separated from the security updates of the operating system AND not doing any update of the, is quite a bad practice, do you?
    When you figure out how he can update code from the grave get back to me


    Quote Originally Posted by gplhost View Post
    It quite is a security problem. What I just wrote above doesn't even consider the source code, and there's issues. Others had a look, there was issues they found too, especially in the general way HyperVM is written. Moreover, the people that took over the maintenance didn't seem to even understand what a symlink attack or a race condition is. They don't seem to have the necessary level to fix, and I saw them adding even more issues while trying to fix.
    Ok, explain exactly how I can hack into my HyperVM server and I will verify. Tick tock tick tock!

    Quote Originally Posted by gplhost View Post
    Who cares about that company's issue? That's not what we are talking about, we are talking about the multiple vulnerabilities and issues with the product itself, without considering anything else.
    You care enough to reply so maybe you can list these vulnerabilities seeing as how you seem to have it all figured out.

    Quote Originally Posted by gplhost View Post
    You wrote yourself that you are not a programmer and can't be the judge, so why are you insisting that HyperVM is ok, when everyone that had a look at the source code think it's not?

    Thomas
    You insist that HyperVM is not ok so I insist you prove it. Define 'everyone'. So you have talked to 'everyone' have you?

    But seriously, don't bother. I am simply pointing out you are just another clown talking out of your a$$ with no facts. Just adding to the background noise of all the other rumors which have no basis in fact once anyone with a few spare minutes of time does some basic fact checking like this guy.

    h++p://forum.lxcenter.org/index.php?t=msg&th=12560&start=0&
    Last edited by UnfinishedSentenc; 11-14-2009 at 06:51 AM.

  23. #23
    Join Date
    Oct 2007
    Location
    United States
    Posts
    1,182
    gplhost makes it his personal goal to pop up in every thread that mentions anything about HyperVM, and then to bad mouth it.

    Well done gplhost, you found this thread as well...?
    www.opticip.com - Optic IP LLC

  24. #24
    Join Date
    Oct 2009
    Posts
    590
    Quote Originally Posted by DMEHosting View Post
    gplhost makes it his personal goal to pop up in every thread that mentions anything about HyperVM, and then to bad mouth it.

    Well done gplhost, you found this thread as well...?
    Ahhhhh yes. Looking at his sig now where he is flogging his own gruel. Makes sense now.
    Last edited by UnfinishedSentenc; 11-14-2009 at 07:39 AM.

  25. #25
    Join Date
    Oct 2009
    Posts
    590
    Perhaps gplhost needs to hire a security consultant for his own sites. Looks ripe for a spam relay at a minimum


    HTTP TRACE / TRACK Methods Allowed
    Synopsis :

    Debugging functions are enabled on the remote web server.

    Description :

    The remote webserver supports the TRACE and/or TRACK methods. TRACE
    and TRACK are HTTP methods which are used to debug web server
    connections.

    In addition, it has been shown that servers supporting the TRACE
    method are subject to cross-site scripting attacks, dubbed XST for
    "Cross-Site Tracing", when used in conjunction with various weaknesses
    in browsers. An attacker may use this flaw to trick your legitimate
    web users to give him their credentials.

    See also :

    http://www.cgisecurity.com/whitehat-..._XST_ebook.pdf
    http://www.apacheweek.com/issues/03-01-24
    http://www.kb.cert.org/vuls/id/288308
    http://www.kb.cert.org/vuls/id/867593

    Solution :

    Disable these methods.

    Risk factor :

    Medium / CVSS Base Score : 4.3
    (CVSS2#AV:N/AC:M/Au:N/C/I:N/A:N)
    Solution :

    Add the following lines for each virtual host in your configuration file :

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

    Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
    support disabling the TRACE method natively via the 'TraceEnable'
    directive.

    Plugin output :

    Nessus sent the following TRACE request :

    ------------------------------ snip ------------------------------
    TRACE /Nessus27813.html HTTP/1.1
    Connection: Close
    Host: www.gplhost.com
    Pragma: no-cache
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
    Accept-Language: en
    Accept-Charset: iso-8859-1,*,utf-8

    ------------------------------ snip ------------------------------

    and received the following response from the remote server :

    ------------------------------ snip ------------------------------
    HTTP/1.1 200 OK
    Date: Sat, 14 Nov 2009 11:56:06 GMT
    Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
    Keep-Alive: timeout=15, max=100
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: message/http


    TRACE /Nessus27813.html HTTP/1.1
    Connection: Keep-Alive
    Host: www.gplhost.com
    Pragma: no-cache
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
    Accept-Language: en
    Accept-Charset: iso-8859-1,*,utf-8

    ------------------------------ snip ------------------------------

    CVE : CVE-2003-1567, CVE-2004-2320
    BID : 9506, 9561, 11604, 33374
    Other references : OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485

    Nessus ID : 11213



    SSL Version 2 (v2) Protocol Detection

    Synopsis :

    The remote service encrypts traffic using a protocol with known
    weaknesses.

    Description :

    The remote service accepts connections encrypted using SSL 2.0, which
    reportedly suffers from several cryptographic flaws and has been
    deprecated for several years. An attacker may be able to exploit
    these issues to conduct man-in-the-middle attacks or decrypt
    communications between the affected service and clients.

    See also :

    http://www.schneier.com/paper-ssl.pdf

    Solution :

    Consult the application's documentation to disable SSL 2.0 and use SSL
    3.0 or TLS 1.0 instead.

    Risk factor :

    Medium / CVSS Base Score : 5.0
    (CVSS2#AV:N/AC:L/Au:N/C/I:N/A:N)


    Nessus ID : 20007


    MTA Open Mail Relaying Allowed

    Synopsis :

    An open SMTP relay is running on this port.

    Description :

    The remote SMTP server seems to allow the relaying. This means that
    it allows spammers to use your mail server to send their mails to
    the world, thus wasting your network bandwidth.

    Solution :

    Reconfigure your SMTP server so that it cannot be used as a relay
    any more.

    Risk factor :

    High / CVSS Base Score : 7.8
    (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)

    CVE : CVE-1999-0512, CVE-2002-1278, CVE-2003-0285
    BID : 6118, 7580, 8196
    Other references : OSVDB:6066, OSVDB:7993

    Nessus ID : 10262


    SSL Weak Cipher Suites Supported

    Synopsis :

    The remote service supports the use of weak SSL ciphers.

    Description :

    The remote host supports the use of SSL ciphers that offer either weak
    encryption or no encryption at all.

    See also :

    http://www.openssl.org/docs/apps/ciphers.html

    Solution :

    Reconfigure the affected application if possible to avoid use of weak
    ciphers.

    Risk factor :

    Medium / CVSS Base Score : 5.0
    (CVSS2#AV:N/AC:L/Au:N/C/I:N/A:N)

    Plugin output :

    Here is the list of weak SSL ciphers supported by the remote server :

    Low Strength Ciphers (< 56-bit key)
    SSLv2
    EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
    EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
    SSLv3
    EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
    EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
    EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
    EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
    TLSv1
    EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
    EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
    EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
    EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

    The fields above are :

    {OpenSSL ciphername}
    Kx={key exchange}
    Au={authentication}
    Enc={symmetric encryption method}
    Mac={message authentication code}
    {export flag}


    Nessus ID : 26928


    Anonymous FTP Enabled

    Synopsis :

    Anonymous logins are allowed on the remote FTP server.

    Description :

    This FTP service allows anonymous logins. Any remote user may connect
    and authenticate without providing a password or unique credentials.
    This allows a user to access any files made available on the FTP server.

    Solution :

    Disable anonymous FTP if it is not required. Routinely check the FTP
    server to ensure sensitive content is not available.

    Risk factor :

    Medium / CVSS Base Score : 5.0
    (CVSS2#AV:N/AC:L/Au:N/C/I:N/A:N)

    Plugin output :

    The contents of the remote FTP root are :
    drwxr-xr-x 4 0 0 4096 Jun 2 19:24 debian
    -r--r--r-- 1 0 0 332 Jun 2 15:07 mirror-config-file
    drwxr-sr-x 2 0 0 4096 Jan 2 2007 misc
    drwxr-sr-x 17 0 0 4096 Mar 19 2009 pub
    -r--r--r-- 1 0 0 333 May 19 08:13 readme.mirrors
    -r--r--r-- 1 0 0 1423 Jun 3 08:55 welcome.msg
    drwxr-xr-x 3 1004 1004 4096 Sep 2 16:42 yum

    CVE : CVE-1999-0497
    Other references : OSVDB:69

    Nessus ID : 10079
    Last edited by UnfinishedSentenc; 11-14-2009 at 08:08 AM.

Page 1 of 2 12 LastLast

Similar Threads

  1. ServerSignature Open Source Solutions & Open Source Consulting
    By serversignature in forum Employment / Job Requests
    Replies: 0
    Last Post: 07-21-2009, 02:02 AM
  2. Open source and commercial open source
    By kjetterman in forum Web Hosting Lounge
    Replies: 10
    Last Post: 07-08-2009, 11:04 AM
  3. [URGENT] Need an open source game panel (counterstrike:source) for linux
    By HostVillage Sales in forum Dedicated Server
    Replies: 0
    Last Post: 10-18-2007, 11:06 PM
  4. Webhosting - Officially Open!
    By AtlasPC-Darren in forum Shared Hosting Offers
    Replies: 2
    Last Post: 04-03-2005, 02:57 AM
  5. BlastHosting Officially Open!
    By jw in forum Shared Hosting Offers
    Replies: 0
    Last Post: 01-01-2002, 06:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •