vsftpd Discloses Whether Usernames are Valid or Not
|
|
SecurityTracker Alert ID: 1008628 |
|
SecurityTracker URL: http://securitytracker.com/id/1008628
|
|
CVE Reference:
CVE-2004-0042
(Links to External Site)
|
Updated: Jul 6 2008
|
Original Entry Date: Jan 7 2004
|
Impact:
Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 1.1.3
|
Description:
CyberTalon reported a vulnerability in vsftpd. A remote user can determine valid usernames on the FTP server.
In September 2003, it was reported that the system returns different information depending on whether a valid username or an invalid username is supplied. A remote user can determine valid FTP user account names.
According to the report, the system will respond with '530 Login incorrect' if a valid username and incorrect password is supplied but responds with '530 Permission denied' if an invalid username is provided.
|
Impact:
A remote user can determine whether a specified username is valid or not.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: vsftpd.beasts.org/ (Links to External Site)
|
Cause:
Access control error, State error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 27 Sep 2003 13:24:01 -0300
Subject: Zipped file of txt vulnerabilities
|
vsFTPd 1.1.3 Lets remote users know if the username they supply is right
Found by: CyberTalon
1. Problem
2. Exploit
3. Info
1. vsFTPd 1.1.3 lets remote users know if the username they supply is right or wrong.
2. Session with right username and wrong password:
220 (vsFTPd 1.1.3)
Name (host:name): rightusername
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed.
ftp>
Session with wrong username:
220 (vsFTPd 1.1.3)
Name (host:name): wrongusername
530 Permission denied.
ftp: Login failed.
ftp>
3. Vendor URL: Unknown
-CT
|
|
