| VID |
16020 |
| Severity |
20 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
It is possible to determine the existence of a user on the remote system by issuing the command CWD ~<username>, even before logging in.
Ie:
telnet target 21
CWD ~root
530 Please login with USER and PASS.
CWD ~nonexistinguser
530 Please login with USER and PASS.
550 Unknown user name after ~
An attacker may use this to determine the existence of known to be vulnerable accounts (like guest) or to determine which system you are running.
* References:
http://www.securityspace.com/smysecure/catid.html?id=10653 |
| Recommendation |
Inform your vendor, and ask for a patch, or change your FTP server |
| Related URL |
CVE-2001-0421 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
