Yak! FTP Service Predictable Password

2003-09-12T00:00:00
ID OSVDB:2838
Type osvdb
Reporter OSVDB
Modified 2003-09-12T00:00:00

Description

Vulnerability Description

Yak!'s FTP service generates username and passwords systematically, which allows malicious users to easily guess the password. Prior to version 2.1.0, the password was hardcoded in the program. Yak!'s switch to non-hardcoded passwords in version 2.1.0 prevents file transfer between previous versions and 2.1.0.

Technical Description

Yak! is a UDP-based peer chat service, intended for use within protected ("trusted") networks which includes a FTP service for transferring files between clients.

Solution Description

The vendor has not yet provided an upgrade and suggests use of Yak! only within internal networks. The vendor recommends its product's use only within protected networks to prevent outside access to the FTP service.

Suggested using provided templates: Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Use online within protected internal networks to prevent untrusted access to the FTP service.

Short Description

Yak!'s FTP service generates username and passwords systematically, which allows malicious users to easily guess the password. Prior to version 2.1.0, the password was hardcoded in the program. Yak!'s switch to non-hardcoded passwords in version 2.1.0 prevents file transfer between previous versions and 2.1.0.

References:

Vendor URL: http://www.digicraft.com.au/yak/ Secunia Advisory ID:10261 ISS X-Force ID: 13177 ISS X-Force ID: 13793 Bugtraq ID: 9072