DeluxeFTP plain text passwords disclosure

Monday, April 11, 2005
###########################################
deluxeFTP plain text passwords disclosure
vendor url:http://www.deluxeftp.com/
vendor notified: yes exploit avaible: yes
advisore url:http://lostmon.blogspot.com/2005/04/
deluxeftp-plain-text-passwords.html
OSVDB ID: 15421
Secunia:SA14923
###########################################

DeluxeFTP contains a flaw that may lead to an unauthorized user
name and password exposure. It is possible to gain access to plain
text user name and password of the ftp sites configured when the
program writes its configuration in 'sites.xml' file, which may lead
to a loss of confidentiality.

##########
version:
##########

DeluxeFTP 6.0.1 afected.
DeluxeFTP Professional 7.0.1 beta afected


###########
solution:
###########

Currently, there are no known upgrades, patches, or workarounds
available to correct this issue.

###########
timeline:
###########

discovered: 09/04/2005
vendor notified: 10/04/2005
disclosure date: 11/04/2005

##########
exploit:
##########

c:\program files\DeluxeFTP\sites.xml
c:\program files\DeluxeFTP Professional\sites.xml

and in this file we look what wen we look for the sites what
we have configured we look this information:

<SITE name="Test">
<ADDRESS>PLAINTEXT_FTP_HOST</ADDRESS>
<PORT>21</PORT>
<PASVMODE>0</PASVMODE>
<LOGIN>PLAINTEXT_USERNAME</LOGIN>
<PASSWORD>PLAINTEX_PASSWORD</PASSWORD>
<REMOTEPATH />


########
thanks
########

thnx to estrella she is always in my mind
thnx to all who support me day at day

--
atentamente:

Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangle of: http://www.osvdb.org
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...