[NT] FtpXQ Default Install Read/Write Capabilities

From: support@securiteam.com
Date: 12/19/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 19 Dec 2001 13:29:37 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  FtpXQ Default Install Read/Write Capabilities
------------------------------------------------------------------------

SUMMARY

When installing
<http://www.datawizard.net/Free_Software/FtpXQ_Free/ftpxq_free.htm> FtpXQ
with default settings, it is possible through anonymous and/or through the
username and password of 'test' for a remote attacker to gain read/write
access to whole drive c: of the computer upon the product was installed.

DETAILS

Vendor response:
… Yes, those IDs are configured by default to have access for the C:\
drive for the purpose of an administrator testing the server. We assume
that every responsible administrator will run the server first in a test
environment, and not in a production setting, or on an IP that is exposed
to the internet. Administrators should obviously change the access for
both of these accounts and/or change the User IDs before putting it into a
production environment. Because of your email however, we will change the
default access for the anonymous user to be read only, as well as post a
message at the end of the install noting the default access for the test
users…

Workaround:
Make sure you delete the account 'test', modify its password, or restrict
its access. Disable anonymous access.

ADDITIONAL INFORMATION

The information has been provided by <mailto:tuck167@hotmail.com> Brice
Carlson.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: firewall on budget ?
    ... 1)Work in Admin mode, and through 'run as', browse ... If working in admin mode and doing runas to browse in a guest account. ... Installing a program, getting an error, then doing the run as, can be ... running as administrator all the time. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: FrontPage Extension
    ... After installing Frontpage Server Extensions 2002, ... The administrator program is too old to old to ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: Personal Directories
    ... programs Start Menu items (shortcuts, ... Installing and running software in Windows XP ... An Administrator should see other's My Documents. ... What goes into the Administrator user folder? ...
    (microsoft.public.windowsxp.general)
  • Re: SBS folder problem
    ... have you tried turning off your antivirus software on the server and then running Windows 2003 SP2? ... Are you installing Windows 2003 SP2 using the Domain Administrator account? ... Trying installing and running the SBS 2003 BPA to see if it can find any problems... ... When logged in as administrator I can't browse / move or rename the folder, also a new all users.windows folder is created. ...
    (microsoft.public.windows.server.sbs)
  • Re: How many hydrogen cars on the road in the US today?
    ... As I mentioned I am currently installing production for 5,100 panels ... I'm putting together a production plant and it will be ...
    (sci.energy.hydrogen)