SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (File Transfer/Sharing)  >  EFTP Vendors:  Landross, Khamil and Jones, Zack
EFTP Discloses FTP Server Passwords and the Web Administration Password to Local Users
SecurityTracker Alert ID:  1007463
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 11 2003
Impact:  Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 3.1.2.75
Description:  CyberTalon reported a password disclosure vulnerability in EFTP. A local user can view user passwords for the FTP server and can view the web administrator's password.

It is reported that a local user can view the user passwords for the FTP server that are stored in clear text in the 'userdata.ini' file. A local user can also view the web administrator's password in the 'eftp3server.ini' file.

[Editor's note: A similar password-disclosure flaw was reported in Alert ID 1002414 in September 2001. The previous report addressed version 2.0.7.337, in which the passwords were stored in a different file.]
Impact:  A local user can obtain FTP server user passwords. A local user can obtain the web administration password.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.eftp.org/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Windows (Any)
Reported By:  cyber talon <cyber_talon@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  Mon, 11 Aug 2003 02:01:32 -0300
From:  cyber talon <cyber_talon@hotmail.com>
Subject:  EFTP Server 3.1.2.75 Local Password Vulnerabilities

 

            EFTP Server 3.1.2.75 Local Password Vulnerabilities
                      Found by: CyberTalon

1. Intro
2. Problem
3. Solution
4. Ending
5. Info

1. I have found a couple local password vulnerabilities in EFTP Server
3.1.2.75.

2. A user can read the server's users usernames and password in plain text
out of the userdata.ini file and can read the web administration's password
out of the eftp3server.ini file.

3. They need to use encryption when storing sensitive data as such.

4. This could allow an attacker to compromise the server with just simply
reading the userdata.ini file and compromise the web administration service
by reading the eftp3server.ini file.

5. Vendor URL: www.eftp.org

-CT

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC