Mollensoft FTP Server Password Exposure

2003-08-05T09:49:50
ID OSVDB:2121
Type osvdb
Reporter OSVDB
Modified 2003-08-05T09:49:50

Description

Vulnerability Description

Mollensoft FTP server contains a flaw that allows malicious users to obtain usernames and passwords. This is possible due to Mollensoft's insecure storage of user information unencrypted on the filesystem. Local access to the system running Mollensoft FTP server is required.

Technical Description

The problem is that usernames and passwords for the FTP server are stored in plaintext in the "users" directory.

Solution Description

Currently, there is no solution available. However, a workaround is to not allow untrusted users access to the system running Mollensoft FTP Server.

Short Description

Mollensoft FTP server contains a flaw that allows malicious users to obtain usernames and passwords. This is possible due to Mollensoft's insecure storage of user information unencrypted on the filesystem. Local access to the system running Mollensoft FTP server is required.

Manual Testing Notes

View the user's passwords in Mollensoft's "users" directory.

References:

Vendor URL: http://www.mollensoft.com/product2.htm Security Tracker: 1007387 Secunia Advisory ID:9451 ISS X-Force ID: 12819