ProFTPD Login Timing Account Name Enumeration

2004-10-15T05:50:31
ID OSVDB:10758
Type osvdb
Reporter Leon Juranic(leon.juranic@infigo.hr)
Modified 2004-10-15T05:50:31

Description

Vulnerability Description

ProFTPD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker measures the elapsed time between the sending of the 'USER' command to the server and the servers response, which will disclose which user accounts are valid resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

ProFTPD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker measures the elapsed time between the sending of the 'USER' command to the server and the servers response, which will disclose which user accounts are valid resulting in a loss of confidentiality.

References:

Vendor URL: http://www.proftpd.org/ Security Tracker: 1011687 Secunia Advisory ID:12836 Other Advisory URL: http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02 Nessus Plugin ID:15484 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-10/0145.html ISS X-Force ID: 17724 CVE-2004-1602 Bugtraq ID: 11430