-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 20 April 2004 02:46, Konstantin Gavrilenko wrote: > ncftp client does not hash the password under certain conditions. And > such information is made available to other users through `ps aux` > Risk Factor: High Wget (1.8.2 and earlier) and lftp (2.6.11 and earlier) have the very same "vulnerability". I doubt thats a problem worth posting an advisory over. Both lftp and ncftp can be runned in interactive mode and the details entered inside, so no information is disclosed to "ps". Also, in wget, you can use the --input-file=<filename> option which allows you to put the URLs in ftp://user:pass@host/ format, one at a line in a file. Note that there will be still info on the harddrive (unless you remove the URL list from the disk after running the application is runned). In wget there isnt a way around that, so there it might be more of a "vulnerability" then ncftp or lftp. Alex -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAhWu7fDQ3s2iW3q0RAo89AJ0SuQgXKX5DODvUaiRDsp2/ZcJUCQCgw3/8 kTc+rq+E+wScAubqreOhkss= =xqeS -----END PGP SIGNATURE-----
