Title: CesarFTP Plaintext Password Storage Vulnerability
Severity: MODERATE
Description:
CesarFTP is a freely available FTP Server for Microsoft Windows 9x/ME systems.
CesarFTP stores the plaintext passwords of FTP user accounts in a file called 'settings.ini', located in "\Program Files\CesarFTP\".
Any user to view this file would be able to log into the FTP server as any ftp user on the system. This vulnerability may also compromise other places where the users authenticate, if they use the same password.
It may be possible to use various file disclosure vulnerabilities to obtain the contents of this file. For example, if the user is running a webserver and using a vulnerable CGI script on the same host, it may be possible for them to first obtain 'settings.ini' via the CGI bug and then log into the ftp server and further compromise the system.
Affected Products:
- ACLogic CesarFTP 0.98.0 b
- ACLogic CesarFTP 0.99.0 g
References:
- ACLogic: CesarFTP Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
