Debian Security Advisory

fsp -- creates user "ftp" unauthorized

Date Reported:
26 Nov 1998
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-1999-1411.
More information:
We have found that the fsp package introduces a possible security flaw. When the fsp package is installed it adds the user "ftp" without prompting the admin. This can enable anonymous FTP if you use the standard FTP daemon or wu-ftpd.

If you have installed fsp and an FTP daemon, and do not want to have anonymous FTP enabled, you should remove the "ftp" account. This can be done with the command "userdel ftp".

Please note that if you use proftpd as the FTP daemon this flaw will not affect you, since it required one to enable anonymous FTP manually.

We have fixed this in fsp 2.71-10. Please note that if you have already installed fsp, upgrading to this version will not remove the user "ftp", you will have to do manually.

Fixed in: