Personal FTP 4.0 stores all user names and passwords in the program in clear text, making it often possible to download all the users passwords.
4181e7f6b58a63526cec229d1d3ad58588252fdd1e3681f7f083a1f7753e2193
o0O Digital_Rebels O0o
- Advisory #2 -
--[Facts]--
Advisory : -DR- Personal FTP 4.0 Account Lookup
Date : 18.09.02
Application : Personal FTP 4.0
(former versions are likely to be affected, too)
Impact : Looking up User Accounts and Passwords
Author : Ernesto Tequila
--[Introduction]--
http://www.MRdownload.de
--[Advisory]--
The Personal FTP Server v4.0 stores all user names _and_
passwords in the programm in clear text. this makes it
possible to read alle user's passwords by simply copying
the whole Personal FTP folder ussually installed to
c:\Prgramms\PFTP to your local disk and and running the
programm. The rights needed for xopying depend on the user
account installing the application, so this is not really a
vulnerability, but the serious design flaw ;)
--[Patch]--
No patch available at the moment, vendour not contacted yet.
Check www.MRdownload.de for updates!
--[Contact]--
Ernesto Tequila <ernesto@digreb.net>
www.digreb.net
--[Shouts]--
..:: DigReb, HDC, THC ::..
..:: Rolex, n0-1, xaitax, [N]eofake, Leh, Semmel, marts, hb-man, Phil, Swift125 ::..