lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050814212038.10619.qmail@securityfocus.com>
Date: 14 Aug 2005 21:20:38 -0000
From: nnposter@...rs.sourceforge.net
To: bugtraq@...urityfocus.com
Subject: Hummingbird FTP Weak Password Encryption


Hummingbird FTP Weak Password Encryption


Critical: Less critical
Impact: Exposure of sensitive information
Where: Local system
Solution Status: Unpatched

Software: Hummingbird Connectivity 10.x
http://connectivity.hummingbird.com/products/nc/cpia.html


Description:
A vulnerability has been identified in Hummingbird FTP, which can be exploited by malicious, local users to gain knowledge of sensitive information.

The vulnerability is caused due to the use of a simple algorithm to "encrypt" passwords in FTP profiles (*.hfs). The problem is that a cipher text is generated by incrementing the plain text ASCII value of each password character by 125 (0x7d). This makes it trivial to gain knowledge of the password.

The vulnerability has been confirmed in version 10. However, prior versions may also be affected.


Solution:
Set proper ACLs for FTP profiles.

Found by:
nnposter

History:
Vendor notified July 13, 2005
Vendor acknowledged receipt July 13, 2005
Public release August 14, 2005


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ