1. Copy the content of theĀ <TITLE> tag from advisories/CA-YYYY-NN.html to the page title above.
  2. Copy the entire content of the corresponding file from body/advisories/CAYYYYNN_FAYYYYNN.html into the HTML box below.
  3. (optional) Delete this page properties box prior to saving. This step is optional because it won't display on the rendered page anyway, only in edit mode.
Original issue date: September 10, 1991<BR>
Last revised: September 18, 1997<BR>
Attached copyright statement

<P>A complete revision history is at the end of this file.

<P>The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning a vulnerability in the default
configurations of National Center for Supercomputing Applications
(NCSA) Telnet for both the Macintosh and the PC.  The vulnerability
also affects the version of NCSA Telnet with IBM 3270 terminal
emulation distributed by Clarkson University.  Two workarounds are
available that correct this problem.

<P>NCSA has committed to changing the default configurations in future
releases.  Maintenance updates for both the Macintosh and the PC are
planned to be released in about 2 months.

<P>NCSA provides two e-mail addresses for Telnet questions, comments,
and bug reports:

<P>PC Telnet		
	<A HREF=mailto:pctelnet@ncsa.uiuc.edu>pctelnet@ncsa.uiuc.edu</A> 

<P>Mac Telnet		
	<A HREF=mailto:mactelnet@ncsa.uiuc.edu>mactelnet@ncsa.uiuc.edu</A> 


<H2>I. Description</H2>

The default configuration of NCSA Telnet for both the Macintosh
and the PC has a serious vulnerability in its implementation of
an ftp server.

<P>The default configuration file enables ftp via the "ftp=yes"
line.  However, sites should be aware that ftp is also enabled
in the absence of any ftp statement in the configuration file.

<H2>II. Impact</H2>

Any Internet user can connect via ftp to a PC or Macintosh
running the default configuration of NCSA Telnet and gain
unauthorized read and write access to any of its files, including
system files.

<H2>III. Solution</H2>

Either disable ftp server functionality or provide password
protection as described below.

<P>To disable the ftp server, add an "ftp=no" line in the
configuration file.

<P>If the ftp server option is enabled (via either an "ftp=yes" line 
in the configuration file or the absence of an ftp statement in the 
configuration file), then the Telpass program (included with both 
Mac and PC versions) can be used to provide password protection.  
Telpass is used to enter usernames and encrypted passwords into a 
password file.  The configuration file specifies the name and 
location of the password file in the "passfile=" statement.  The 
usage of Telpass is documented in Chapter 5 of version 2.4 of the 
Macintosh version documentation and Chapter 7 of version 2.3 of the 
PC version.  Note that the documentation (as well as the package 
itself) is available by anonymous ftp from<A HREF="ftp://ftp.ncsa.uiuc.edu"> ftp.ncsa.uiuc.edu</A>

<P>The instructions for enabling password protection differ between
the Macintosh and PC versions, but in both cases they involve
enabling the "passfile" option in the configuration file, and
creating usernames and encrypted passwords with the Telpass

<P>CERT/CC strongly urges all sites running NCSA Telnet to implement
 of these two workarounds.


<P>The CERT/CC would like to thank NCSA and Clarkson University for their


<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1991 Carnegie Mellon University.</P>


Revision History
September 18,1997  Attached Copyright Statement