RobotFTP Server Discloses Usernames and Passwords to Local Users
|
|
SecurityTracker Alert ID: 1007349
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 31 2003
|
Impact: Disclosure of authentication information
|
Exploit Included: Yes
|
Version(s): 1.0
|
Description: CyberTalon reported an authentication information disclosure vulnerability in the RobotFTP Server. A local user can view usernames and passwords.
It is reported that the software stores passwords in plain text in the 'C:/Program Files/RobotFTPServer/rftpsrvr.bot' file. Once
the RobotFTP Server has been shut down once (causing it to save the passwords), a local user can view the passwords.
|
Impact: A local user can view passwords.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.robotftp.com/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (Any)
|
Reported By: cyber talon <cyber_talon@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 30 Jul 2003 17:40:00 -0300
From: cyber talon <cyber_talon@hotmail.com>
Subject: RobotFTP Server Local Password Vulnerability
|
RobotFTP Server 1.0 Local Password Vulnerablity
Found by: CyberTalon
1. Intro
2. Problem
3. Solution
4. Ending
1. RobotFTP Server has a local password vulnerability.
2. RobotFTP Server stores the login usernames and passwords in C:/Program
Files/RobotFTPServer/rftpsrvr.bot . RobotFTP has to be closed once for it to
save the information/file, then it will be accessible from there on.
3. They need to use encryption when storing information on that sort.
4. This could allow an attacker to compromise the server if they could get
to it, and read it out of the rftpsrvr.bot locally.
Vendor url: http://www.robotftp.com
-CT
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
|
|
