Re: Sensitive data for site files??

["S.P.Zeidler" <spz%NetBSD.org@localhost>]

Hi حمود الشري,

Thus wrote حمود الشريف (hmoud022%gmail.com@localhost):

> I found a security issue on the site that allows viewing of the FTP files
> on the site
> https://ftp.netbsd.org/pub/

"The files visible and downloadable by ftp are also visible and
downloadable by http(s)" is not a security issue but a administrative
decision to make using the download server more convenient to use.

If your concern was that there's an etc directory:

ftp> ls
229 Entering Extended Passive Mode (|||53975|)
150 Opening ASCII mode data connection for '/bin/ls'.
total 65712
lrwxrwxr-x  1 root  wheel         32 Aug 16  2009 .message -> pub/NetBSD/README.export-control
drwxr-x--x  3 root  wheel        512 Aug 16  2009 etc
-rw-rw-r--  1 600   netbsd  33607594 Feb 16 03:03 ls-lRA.gz
drwxr-xr-x  6 root  wheel        512 Sep 30  2017 pub
-rw-rw-r--  1 root  wheel         77 Aug 16  2009 robots.txt
226 Transfer complete.
ftp> cd etc
250 CWD command successful.
ftp> get group |cat
local: |cat remote: group
229 Entering Extended Passive Mode (|||53978|)
150 Opening BINARY mode data connection for 'group' (41 bytes).
wheel:*:0:
srcmastr:*:666:
netbsd:*:125:
226 Transfer complete.
41 bytes received in 00:00 (0.09 KiB/s)
ftp> get master.passwd |cat
local: |cat remote: master.passwd
229 Entering Extended Passive Mode (|||53979|)
150 Opening BINARY mode data connection for 'master.passwd' (46 bytes).
root:*:0:0::0:0:::
srcmastr:*:234:666::0:0:::
226 Transfer complete.
46 bytes received in 00:00 (0.08 KiB/s)

=> it's not the configuration directory of the OS.

Any other concerns?

regards,
	spz