29 lines
No EOL
1.1 KiB
Text
29 lines
No EOL
1.1 KiB
Text
FTP Service Multiple Vulnerabilities
|
|
|
|
Vendor: Pablo Software Solutions
|
|
Product: FTP Service
|
|
Version: <= 1.2
|
|
Website: http://www.pablovandermeer.nl/ftp_service.html
|
|
|
|
BID: 7799 7801
|
|
|
|
Description:
|
|
FTPService.exe is a service-version of Pablo's FTP Server. This service enables you to have the FTP server active even when you're not logged into Windows.
|
|
|
|
Anonymous Access
|
|
The anonymous account is by default set to have download access to anything in the C:\ directory. While this can be disabled by simply deleting the anonymous account, it poses a serious threat for anyone not aware of the problem.
|
|
|
|
ftp://somewhere/windows/repair/sam
|
|
|
|
In conclusion this application is totally open to complete compromise by default. Vendor was notified and plans on releasing a fix soon.
|
|
|
|
Plaintext Password Weakness:
|
|
User info is stored in users.dat in plaintext. If the anonymous account is present (it is by default) the entire FTP server can be compromised
|
|
|
|
ftp://somewhere/program files/pablo's ftp service/users.dat
|
|
|
|
Solution:
|
|
Upgrade your version of Pablo FTP Service.
|
|
|
|
Credits:
|
|
James Bercegay of the GulfTech Security Research Team. |