Mollensoft FTP Server Discloses Passwords to Local Users
|
|
SecurityTracker Alert ID: 1007387
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 4 2003
|
Impact: Disclosure of authentication information
|
Exploit Included: Yes
|
Version(s): 3.5.3
|
Description: CyberTalon reported an authentication information disclosure vulnerability in Mollensoft FTP Server. A local user can view FTP user passwords.
It is reported that the software stores user passwords in clear text in the '/users' directory in a separate file for each user.
|
Impact: A local user can view passwords for the FTP users.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.mollensoft.com/product2.htm (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (Any)
|
Reported By: cyber talon <cyber_talon@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 02 Aug 2003 19:29:06 -0300
From: cyber talon <cyber_talon@hotmail.com>
Subject: Two Mollensoft FTP Server 3.5.3 Vulnerabilities
|
Two Mollensoft FTP Server 3.5.3 Vulnerabilities
Found by: CyberTalon
1. Intro
2. Problem1
3. Problem2
4. Solution
5. Ending/Info
1. I have discovered two vulnerabilities in Mollensoft's FTP Server.
2. By default, the server has an anonymous setup with no password and full
privledges.
3. It stores passwords in clear text, and are very easily found. You can
find information in /users. Each file in that folder is named after the
username, and holds the password and some other information as well.
3. For 2., As a user fix, disable the account or add a password. For 3.,
they need to use encryption.
4. The server could be compromised, and the attacker use the server as a
pub.
5. Vendor url: www.mollensoft.com
-CT
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus
|
|
