| VID |
16124 |
| Severity |
30 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
The Home FTP Server is vulnerable to multiple information disclosure vulnerabilities. Home FTP Server is a freely available FTP server for Microsoft Windows platforms. Home FTP Server version 1.0.7 b45 could allow a local attacker to disclose sensitive information and a remote attacker to carry out directory traversal attacks as follows:
1) Directory traversal vulnerability: Home FTP Server could allow a remote, authenticated attacker to read arbitrary files via C:\ (Windows drive letter) sequences in commands such as LIST or RETR.
2) Information Disclosure vulnerability: Home FTP Server stores user information in the ftpmembers.lst file and server configuration setting information in the ftpsettings.lst file in plaintext in the default directory. A remote, authenticated attacker could use this vulnerability to obtain sensitive information.
* References:
http://www.autistici.org/fdonato/advisory/HomeFtpServer1.0.7-adv.txt
http://www.securityfocus.com/archive/1/409030
http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0814.html
* Platforms Affected:
Home Series, Home FTP Server version 1.0.7 b45
Microsoft Windows Any version |
| Recommendation |
No upgrade or patch available as of December 2006.
Please use another product. |
| Related URL |
CVE-2005-2726,CVE-2005-2727 (CVE) |
| Related URL |
14653 (SecurityFocus) |
| Related URL |
22002,22003 (ISS) |
|
