[NT] Personal FTP Server Saves Passwords in the Clear

From: SecuriTeam (support_at_securiteam.com)
Date: 05/31/03

  • Next message: SecuriTeam: "[NT] Remote DoS in Desktop Orbiter" 
    To: list@securiteam.com
Date: 31 May 2003 11:22:10 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Personal FTP Server Saves Passwords in the Clear
    ------------------------------------------------------------------------

    SUMMARY

     <http://home.t-online.de/home/m-roth> Personal FTP Server is "a easy to
    use FTP server". However, the product has been found to store all the
    usernames and passwords in an insecure way allowing a local attacker an
    easy method of retrieving them.

    DETAILS

    Vulnerable systems:
     * Personal FTP Server version 4.45

    Personal FTP Server stores all usernames and passwords in the file
    \Program Files\PFTP\PFTPUSERS3.USR in clear text. If a malicious user were
    to gain access to this file, they would have a list of all usernames and
    their associated passwords.

    Vendor response:
    The vendor has been notified on May 30, no response has been received so
    far.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:vulncode@yahoo.com> Ziv
    Kamir.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Remote DoS in Desktop Orbiter"

    Relevant Pages

    • Re: Parent controls
      ... my children to run is there a way that I can stop them from running certain programs by using different usernames and passwords. ... They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Paris is hoping to introduce 4,000 electric rental cars, AUTOLIB, with pick up and drop off loca
      ... I'm becoming absolutely frantic about usernames and passwords. ... all the stupid usernames and passwords I have, ... although they have a web site I've never logged into it or taken ...
      (soc.retirement)
    • Re: Are you a cyberchondriac?
      ... I used to keep my passwords (as Andy says, ... those who have many many usernames and passwords to remember, ... the internet is the absolute safest way to exchange ... think that an 80 year old stranger who lives 8000 miles away would be ...
      (soc.senior.issues)
    • RE: ssh security question
      ... They were doing a simple dictionary attack using common usernames and it ... Your best bet is to ensure your passwords are not easy to crack, ... Information Security Specialist | CIBC Enterprise Information ... firewall - so I could access the centos server remotely. ...
      (SSH)
    • Re: Properly configuring SMTP Service
      ... specifies the AUTH LOGIN details in Outlook Express? ... preventing the compromise of usernames + passwords is very ... this can cover authentication as well (even if the ...
      (microsoft.public.inetserver.iis.smtp_nntp)