FlashFXP 1.4 Local Password Disclosure Vulnerability
From: Blud Clot (bludclot@hellokitty.com)Date: 10/22/02
- Previous message: kalif@hushmail.com: "Virgil CGI Scanner Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Blud Clot" <bludclot@hellokitty.com> To: bugtraq@securityfocus.com Date: Tue, 22 Oct 2002 16:24:48 -0500
Description: Local users may be able to view passwords for ftp sites.
Versions affected: This was discovered on FlashFXP 1.4 (build 800). It is likely, but not tested, that any version 1.x is vulnerable. FlashFXP 2.x is not vulnerable.
Vendor Contacted: E-mailed CEDsoft on 8/31/02. They responded within hours and informed me that they had already known about this vulnerability and that their publicly available beta version already had it fixed.
Details: When passwords are entered into FlashFXP they are generally echoed with asterisks, but there is an exception. When there are transfers in the queue the password is visible in cleartext by editing the queue properties.
Solution: Upgrade to the latest version.
Personal Note: I was very impressed with their response time and commitment to security.
-BludClot
-- ____________________________________________________ Get your own Hello Kitty email @ www.sanriotown.comPowered by Outblaze
- Previous message: kalif@hushmail.com: "Virgil CGI Scanner Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
