On November 20, 1997 I checked to see whether or not the version of SurfinShield 2.0 that I reviewed remained available and whether or not its installation script still contained the dangerous "xhost +" command. You can easily do the same and verify my observations until Finjan decides to remove its tainted software. The following transcript of my session shows quite clearly that SurfinShield 2.0 for UNIX was still available from ftp.finjan.com on November 20, 1997 and that its installation script, sfsInstall, contained the "xhost +" command on line 630. Thus Finjan continued to distribute software with dangerous security holes long after it had known about them. We can only hope that nobody downloaded and installed that software.
sparky:/export/home/tester - 24 - Thu Nov 20 19:34:58 CST 1997 % ftp ftp.finjan.com Connected to ftp.finjan.com. 220 ftp.finjan.com FTP server (Version wu-2.4(15) Mon Mar 24 21:00:21 EST 1997) ready. Name (ftp.finjan.com:tester): ftp 331 Guest login ok, send your complete e-mail address as password. Password: 230 Guest login ok, access restrictions apply. ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls. total 21714 -rw-r--r-- 1 2897 400 3320540 Nov 4 10:31 SFS_Xtra_v2r5.EXE -rw-r--r-- 1 2897 400 2638277 May 20 1997 Ss20_11_1e.EXE -rw-r--r-- 1 2897 400 2638480 Apr 27 1997 Ss20_11e.EXE -rw-r--r-- 1 2897 400 1065984 Apr 27 1997 Ss20_11eU.tar -rw-r--r-- 1 2897 400 12500036 Nov 20 09:21 SurfinCheck.EXE drwxr-xr-x 3 2897 400 512 Nov 20 10:55 download drwxr-xr-x 2 2897 400 512 May 20 1997 sfgversions 226 Transfer complete. 446 bytes received in 0.17 seconds (2.6 Kbytes/s) ftp> binary 200 Type set to I. ftp> get Ss20_11eU.tar 200 PORT command successful. 150 Opening BINARY mode data connection for Ss20_11eU.tar (1065984 bytes). 226 Transfer complete. local: Ss20_11eU.tar remote: Ss20_11eU.tar 1065984 bytes received in 3.9e+02 seconds (2.7 Kbytes/s) ftp> quit 221 Goodbye. sparky:/export/home/tester - 25 - Thu Nov 20 19:34:58 CST 1997 % mkdir SSTest sparky:/export/home/tester - 26 - Thu Nov 20 19:34:58 CST 1997 % mv Ss20_11eU.tar SSTest sparky:/export/home/tester - 27 - Thu Nov 20 19:34:58 CST 1997 % cd SSTest sparky:/export/home/tester/SSTest - 28 - Thu Nov 20 19:44:21 CST 1997 % tar xf Ss20_11eU.tar sparky:/export/home/tester/SSTest - 29 - Thu Nov 20 19:44:21 CST 1997 % ls README.txt add.zip images tools.zip Ss20_11eU.tar audio register.exe uninstall SurfinShield config register.zip unzip SurfinShield.zip help sfsInstall zip sparky:/export/home/tester/SSTest - 30 - Thu Nov 20 19:44:21 CST 1997 % grep -n xhost sfsInstall 630: /usr/openwin/bin/xhost +
If this software is truly "an out-dated and unsupported version of Finjan's desktop product software," why then does Finjan continue to offer it? If this software truly "reached its scheduled 'end of life' following its release in February, 1997," why then is its rotting corpse lying in public waiting to be downloaded and installed? Finjan should remove this at once from their ftp site and issue a statement to alert those who may have run their installation script.
Note also that Finjan appears to have installed a new ftp server in March of 1997, more than a month after I observed the unsecure state of ftp.finjan.com.