FTP Service 1.2 - Multiple Vulnerabilities
FTP Service Multiple Vulnerabilities Vendor: Pablo Software Solutions Product: FTP Service Version: <= 1.2 Website: http://www.pablovandermeer.nl/ftp_service.html BID: 7799 7801 Description: FTPService.exe is a service-version of Pablo's FTP Server. This service enables you to have the FTP server active even when you're not logged into Windows. Anonymous Access The anonymous account is by default set to have download access to anything in the C:\ directory. While this can be disabled by simply deleting the anonymous account, it poses a serious threat for anyone not aware of the problem. ftp://somewhere/windows/repair/sam In conclusion this application is totally open to complete compromise by default. Vendor was notified and plans on releasing a fix soon. Plaintext Password Weakness: User info is stored in users.dat in plaintext. If the anonymous account is present (it is by default) the entire FTP server can be compromised ftp://somewhere/program files/pablo's ftp service/users.dat Solution: Upgrade your version of Pablo FTP Service. Credits: James Bercegay of the GulfTech Security Research Team.