SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (File Transfer/Sharing)  >   EFTP Vendors:   Landross, Khamil and Jones, Zack
EFTP Discloses FTP Server Passwords and the Web Administration Password to Local Users
SecurityTracker Alert ID:  1007463
SecurityTracker URL:  http://securitytracker.com/id/1007463
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 11 2003
Impact:   Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 3.1.2.75
Description:   CyberTalon reported a password disclosure vulnerability in EFTP. A local user can view user passwords for the FTP server and can view the web administrator's password.

It is reported that a local user can view the user passwords for the FTP server that are stored in clear text in the 'userdata.ini' file. A local user can also view the web administrator's password in the 'eftp3server.ini' file.

[Editor's note: A similar password-disclosure flaw was reported in Alert ID 1002414 in September 2001. The previous report addressed version 2.0.7.337, in which the passwords were stored in a different file.]
Impact:   A local user can obtain FTP server user passwords. A local user can obtain the web administration password.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.eftp.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Mon, 11 Aug 2003 02:01:32 -0300
Subject:  EFTP Server 3.1.2.75 Local Password Vulnerabilities


            EFTP Server 3.1.2.75 Local Password Vulnerabilities
                      Found by: CyberTalon

1. Intro
2. Problem
3. Solution
4. Ending
5. Info

1. I have found a couple local password vulnerabilities in EFTP Server
3.1.2.75.

2. A user can read the server's users usernames and password in plain text
out of the userdata.ini file and can read the web administration's password
out of the eftp3server.ini file.

3. They need to use encryption when storing sensitive data as such.

4. This could allow an attacker to compromise the server with just simply
reading the userdata.ini file and compromise the web administration service
by reading the eftp3server.ini file.

5. Vendor URL: www.eftp.org

-CT

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC