CoffeeCup FTP Clients Weak Password Encryption Vulnerability
BID:2107
Info
CoffeeCup FTP Clients Weak Password Encryption Vulnerability
| Bugtraq ID: | 2107 |
| Class: | Design Error |
| CVE: |
CVE-2001-0103 |
| Remote: | No |
| Local: | Yes |
| Published: | Dec 14 2000 12:00AM |
| Updated: | Jul 11 2009 04:46AM |
| Credit: | reported to SecurityFocus by Julio César Hernández <[email protected]> on 14 Dec, 2000. |
| Vulnerable: |
CoffeeCup Software CoffeeCup Free FTP 1.0 CoffeeCup Software CoffeeCup Direct FTP 1.0 |
| Not Vulnerable: | |
Discussion
CoffeeCup FTP Clients Weak Password Encryption Vulnerability
A vulnerability exists in the FTP clients CoffeCupt Direct and CoffeeCup Free.
The clients use the file FTPServers.ini to store password information for sites to which the client has been connected. The encryption method designed to obfuscate these passwords can be easily defeated.
As a result, a malicious user able to read the FTPServers.ini will be able to obtain the passwords to any of the stored FTP servers, compromising their security.
A vulnerability exists in the FTP clients CoffeCupt Direct and CoffeeCup Free.
The clients use the file FTPServers.ini to store password information for sites to which the client has been connected. The encryption method designed to obfuscate these passwords can be easily defeated.
As a result, a malicious user able to read the FTPServers.ini will be able to obtain the passwords to any of the stored FTP servers, compromising their security.