[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <004301c2935c$fb1c37c0$e62d1c41@kc.rr.com>
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: acFTP Authentication Issue
acFTP is an open-source FTP daemon for Windows platforms
(http://www.sourceforge.net/projects/acftp) that offers more functionality
than many proprietary servers (including the MS FTP service). The
authentication code of acFTP contains a flaw -- specifically, the server
treats users as logged in without a valid password. This results in
mis-representation of server activity in log files, and possibly privilege
elevation.
For example:
USER private
PASS #
This leads it to reject my password, but I can not log in with another set
of credentials, and my log activity appears as "private" instead of the
appropriate "-" or "***".
Powered by blists - more mailing lists