o0O Digital_Rebels O0o
     
        - Advisory #2 -


--[Facts]--

 Advisory      :   -DR- Personal FTP 4.0 Account Lookup

 Date          :   18.09.02
 
 Application   :   Personal FTP 4.0
                   (former versions are likely to be affected, too)

 Impact        :   Looking up User Accounts and Passwords

 Author        :   Ernesto Tequila


--[Introduction]--

http://www.MRdownload.de 


--[Advisory]--

The Personal FTP Server v4.0 stores all user names _and_
passwords in the programm in clear text. this makes it 
possible to read alle user's passwords by simply copying 
the whole Personal FTP folder ussually installed to
c:\Prgramms\PFTP to your local disk and and running the 
programm. The rights needed for xopying depend on the user
account installing the application, so this is not really a
vulnerability, but the serious design flaw ;)

--[Patch]--

No patch available at the moment, vendour not contacted yet.

Check www.MRdownload.de for updates!

--[Contact]--

Ernesto Tequila <ernesto@digreb.net>

www.digreb.net

--[Shouts]--

..:: DigReb, HDC, THC ::..

..:: Rolex, n0-1, xaitax, [N]eofake, Leh, Semmel, marts, hb-man, Phil, Swift125 ::..