WinFTP Server user.wfd Cleartext Authentication Credential Disclosure

2004-11-24T09:39:58
ID OSVDB:12122
Type osvdb
Reporter Ziv Kamir(gss_it@yahoo.com)
Modified 2004-11-24T09:39:58

Description

Vulnerability Description

WinFTP Server contains a flaw that may lead to an unauthorized information disclosure. The problem is that user credentials are stored in plaintext in the "data\user.wfd" file that is readable by all local users on the system, which will disclose sensitive information resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Grant only trusted users access to affected systems.

Short Description

WinFTP Server contains a flaw that may lead to an unauthorized information disclosure. The problem is that user credentials are stored in plaintext in the "data\user.wfd" file that is readable by all local users on the system, which will disclose sensitive information resulting in a loss of confidentiality.

References:

Vendor URL: http://www.wftpserver.com/ Security Tracker: 1012321 Secunia Advisory ID:13304 ISS X-Force ID: 18247 CVE-2004-2400 Bugtraq ID: 11749