| VID |
16092 |
| Severity |
20 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
The ArGoSoft FTP Server, according to its banner, has an user enumeration vulnerability. ArGoSoft FTP Server is a freely available FTP server for Microsoft Windows platforms. ArGoSoft FTP Server version 1.4.2.0 and earlier could allow a remote attacker to determine valid usernames on the system. A login name supplied with the USER command will not be accepted unless it is valid. If the username is invalid it will return a message similar to:
530 User NAME_HERE does not exist
otherwise it will accept the username and ask for the password. A remote attacker may exploit this flaw to harvest valid usernames, potentially facilitating brute force attacks.
* Note: This check solely relied on the banner of the remote FTP server to assess this vulnerability, so this might be a false positive.
* References:
http://securityfocus.com/archive/1/385855
http://www.lovebug.org/argosoft_advisory.txt
* Platforms Affected:
ArGoSoft FTP Server 1.4.2.0 and earlier
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of ArGoSoft FTP Server (1.4.2.4 or later), available from the ArGoSoft FTP Server Web page at http://www.argosoft.com/applications/ftpserver/download.asp |
| Related URL |
CVE-2004-1428 (CVE) |
| Related URL |
12139 (SecurityFocus) |
| Related URL |
18721 (ISS) |
|
