NT4, IIS4 FTP service. Yawn.
From: Kayne Ian (Softlab) (Ian.Kayne@softlab.co.uk)Date: 10/31/01
- Previous message: Chris Carey: "Re: weird Windows 2000/XP bug"
- Next in thread: Thor@HammerofGod.com: "Re: NT4, IIS4 FTP service. Yawn."
- Reply: Thor@HammerofGod.com: "Re: NT4, IIS4 FTP service. Yawn."
- Reply: Adam Prato: "Re: NT4, IIS4 FTP service. Yawn."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <CDD7435C5120D511870B00805F6FED1D91FDE3@birexm01.uk.softlab.net> From: "Kayne Ian (Softlab)" <Ian.Kayne@softlab.co.uk> To: Vuln-Dev <VULN-DEV@SECURITYFOCUS.COM> Subject: NT4, IIS4 FTP service. Yawn. Date: Wed, 31 Oct 2001 09:56:33 -0000
Hey all,
Noticed something a little odd. It may have potential, already been
noticed, or it may be a dead end...
NT4 SP6a, IIS 4 with hotfixes. Only the FTP service installed. I created a
new FTP site, and set the Enable Anynomous Access and Allow Only Anonymous
options. The anon account was set to the standard IUSER account.
FTP'd to the machine, and tried to log in as anonymous, password "password".
This is what happened:
------------------------------------
c:\>ftp x.x.x.x
Connected to x.x.x.x.
220 xxxxxxx Microsoft FTP Service (Version 4.0).
User (x.x.x.x:(none)): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
530 User (password) cannot log in.
Login failed.
------------------------------------
Notice that? Whatever password I typed in for the anonymous account was
echo'd back to the screen in plain text on the 530 error message.
Of course, your next question will be, why is the anonymous account
rejecting a login password? Good point, it seemed that the IIS password
synchronization feature had broken itself.
As I said, it may be nothing, but it seems strange to me that the password
should be echo'd to screen in plaintext.
Ian Kayne
Technical Specialist - IT Solutions
Softlab Ltd - A BMW Company
********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed.
If you are not the intended recipient or the person responsible for
delivering to the intended recipient, be advised that you have received
this email in error and that any use of the information contained within
this email or attachments is strictly prohibited.
Internet communications are not secure and Softlab does not accept
any legal responsibility for the content of this message. Any opinions
expressed in the email are those of the individual and not necessarily
those of the Company.
If you have received this email in error, or if you are concerned with
the content of this email please notify the IT helpdesk by telephone
on +44 (0)121 788 5480.
********************************************************************
- Previous message: Chris Carey: "Re: weird Windows 2000/XP bug"
- Next in thread: Thor@HammerofGod.com: "Re: NT4, IIS4 FTP service. Yawn."
- Reply: Thor@HammerofGod.com: "Re: NT4, IIS4 FTP service. Yawn."
- Reply: Adam Prato: "Re: NT4, IIS4 FTP service. Yawn."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
