FTPPro Information Disclosure Vulnerability
BID:1790
Info
FTPPro Information Disclosure Vulnerability
| Bugtraq ID: | 1790 |
| Class: | Design Error |
| CVE: |
CVE-2000-0008 |
| Remote: | No |
| Local: | Yes |
| Published: | Dec 27 1999 12:00AM |
| Updated: | Jul 11 2009 03:56AM |
| Credit: | Discovered by and first posted to Bugtraq by The Wall <[email protected]> on December 27, 1999. |
| Vulnerable: |
1st Choice Software FTPPro 7.5 |
| Not Vulnerable: | |
Discussion
FTPPro Information Disclosure Vulnerability
FTPPro is a shareware FTP package written by 1st Choice Software for the Microsoft Windows platforms. The FTPPro software package creates a key in the registry of any machine on which it is installed. This key, contained at extension \HKEY_LOCAL_MACHINE\SOFTWARE\FTPPro98c, stores sensitive user information in an unencrypted state. The permissions of the key permit any users of group "Everybody" to execute commands Query Value, Set Value, Create Subkey, Enumerate Subkey, Notify, Delete, and Read Control. The key permissions additionally permit Full Control to Administrator, Owner, and System.
Within this key, sensitive information such as the owners credit card number, credit card expiration date, card type, name, registration address, and telephone number is stored. The "Offline Registration" option of this software package will additionally create a clear text document titled "Register.txt" in the working directory of the program, also containing this information. As a consequence, it is possible for an attacker to retrieve sensitive personal information about the owner of the package.
FTPPro is a shareware FTP package written by 1st Choice Software for the Microsoft Windows platforms. The FTPPro software package creates a key in the registry of any machine on which it is installed. This key, contained at extension \HKEY_LOCAL_MACHINE\SOFTWARE\FTPPro98c, stores sensitive user information in an unencrypted state. The permissions of the key permit any users of group "Everybody" to execute commands Query Value, Set Value, Create Subkey, Enumerate Subkey, Notify, Delete, and Read Control. The key permissions additionally permit Full Control to Administrator, Owner, and System.
Within this key, sensitive information such as the owners credit card number, credit card expiration date, card type, name, registration address, and telephone number is stored. The "Offline Registration" option of this software package will additionally create a clear text document titled "Register.txt" in the working directory of the program, also containing this information. As a consequence, it is possible for an attacker to retrieve sensitive personal information about the owner of the package.
Exploit / POC
FTPPro Information Disclosure Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
FTPPro Information Disclosure Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].