LFTP Username/Password Disclosure

2004-04-20T06:28:00
ID OSVDB:5604
Type osvdb
Reporter Alex Behar(alex@eclipse.org.il)
Modified 2004-04-20T06:28:00

Description

Vulnerability Description

LFTP contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a user supplies login name and password via the command line, which will disclose that information to other users via process listings (ps) resulting in a loss of confidentiality.

Solution Description

Upgrade to the latest version of LFTP. It is also possible to correct the flaw by implementing the following workaround: supply usernames and passwords interactively, not via command line

Short Description

LFTP contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a user supplies login name and password via the command line, which will disclose that information to other users via process listings (ps) resulting in a loss of confidentiality.

References:

Vendor URL: http://lftp.yar.ru/ Secunia Advisory ID:11460 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-04/0258.html ISS X-Force ID: 15943