[VulnWatch] Plaintext Password in Settings.ini of CesarFTP

From: Andreas Constantinides (megahz_at_megahz.org)
Date: 05/20/03

  • Next message: mattmurphy_at_kc.rr.com: "[VulnWatch] BadBlue Remote Administrative Interface Access Vulnerability" 
    To: <vulnwatch@vulnwatch.org>, <bugtraq@securityfocus.com>, <news@securiteam.com>
Date: Tue, 20 May 2003 10:15:59 +0300

    Cesar FTP v0.99g (latest version)
    an FTP Server by http://www.aclogic.com/
    it saves the ftp password in file:
    c:\Program Files\CesarFTP\settings.ini
    in plaintext:

    ....
    Password= "lalala"
    Login= "megahz"
    Name= "megahz"
    ....

    Discovered by MegaHz
    www.megahz.org
    megahz@megahz.org
    www.cyhackportal.com

  • Next message: mattmurphy_at_kc.rr.com: "[VulnWatch] BadBlue Remote Administrative Interface Access Vulnerability"

    Relevant Pages

    • Plaintext Password in Settings.ini of CesarFTP
      ... Cesar FTP v0.99g ... it saves the ftp password in file: ... Login= "megahz" ...
      (Bugtraq)
    • Re: FTP External Intranet Access
      ... I understand that FTP passwords go in clear text but if I lock down the FTP to one directory and its sub folders why not do it. ... It's more of a matter of risk of someone being in the right place at the right time. ... There's a user name and password that has access to a location on that firm's domain controller. ... You lose the ftp password on that domain controller, you then have to ensure that you truly did have the permissions set up and they aren't able to get in anywhere else. ...
      (microsoft.public.windows.server.sbs)
    • Dynamic FTP Connection
      ... I wanted to know how to make a dynamic FTP Connection. ... FTP Server will be having a FTP server Name, File path, FTP Server ... Name, FTP User Name, FTP Password. ...
      (microsoft.public.sqlserver.dts)
    • Re: e7 broadband ftp settings
      ... > I am having problems using my e7 broadband webspace. ... > 1.what is the hostname or ftp adress of your web server. ... what is your ftp password (I assume this is the same as that for ...
      (uk.telecom.broadband)