Backup Manager FTP Server Information Disclosure Vulnerability

Bugtraq ID:	25503
Class:	Design Error
CVE:	CVE-2007-4656
Remote:	No
Local:	Yes
Published:	Aug 31 2007 12:00AM
Updated:	Mar 17 2008 05:50PM
Credit:	Micha Lenk is credited with discovering this issue.
Vulnerable:	Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Backup Manager Backup Manager 0.6.2 Backup Manager Backup Manager 0.6.1 Backup Manager Backup Manager 0.6 Backup Manager Backup Manager 0.5.8 b Backup Manager Backup Manager 0.5.8 a Backup Manager Backup Manager 0.5.8 Backup Manager Backup Manager 0.5.7 Backup Manager Backup Manager 0.5.6
Not Vulnerable:	Backup Manager Backup Manager 0.6.3

Backup Manager FTP Server Information Disclosure Vulnerability

Backup Manger is prone to an information-disclosure vulnerability affecting FTP access to the backup server.

Local attackers can exploit this issue to gain authentication credentials for the backup server. Successful attacks can compromise the backup server.

Versions prior to Backup Manager 0.6.3 are vulnerable.

Backup Manager FTP Server Information Disclosure Vulnerability

No specific exploit code is required to exploit this issue. An attacker must be able to view the process list on an affected computer to gain sensitive information.

Backup Manager FTP Server Information Disclosure Vulnerability

Solution:
The vendor released Backup Manager 0.6.3 to address this issue. Please see the references for more information.


Backup Manager Backup Manager 0.5.6

• Backup Manager backup-manager-0.6.3.tar.gz
  http://www.backup-manager.org/download/backup-manager-0.6.3.tar.gz

Backup Manager Backup Manager 0.5.7

• Backup Manager backup-manager-0.6.3.tar.gz
  http://www.backup-manager.org/download/backup-manager-0.6.3.tar.gz

Backup Manager Backup Manager 0.5.8 b

• Backup Manager backup-manager-0.6.3.tar.gz
  http://www.backup-manager.org/download/backup-manager-0.6.3.tar.gz

Backup Manager Backup Manager 0.5.8

• Backup Manager backup-manager-0.6.3.tar.gz
  http://www.backup-manager.org/download/backup-manager-0.6.3.tar.gz

Backup Manager Backup Manager 0.5.8 a

• Backup Manager backup-manager-0.6.3.tar.gz
  http://www.backup-manager.org/download/backup-manager-0.6.3.tar.gz

Backup Manager Backup Manager 0.6

• Backup Manager backup-manager-0.6.3.tar.gz
  http://www.backup-manager.org/download/backup-manager-0.6.3.tar.gz

Backup Manager Backup Manager 0.6.1

• Backup Manager backup-manager-0.6.3.tar.gz
  http://www.backup-manager.org/download/backup-manager-0.6.3.tar.gz

Backup Manager Backup Manager 0.6.2

• Backup Manager backup-manager-0.6.3.tar.gz
  http://www.backup-manager.org/download/backup-manager-0.6.3.tar.gz

Backup Manager FTP Server Information Disclosure Vulnerability

References:

• Backup Manager 0.6.3 Release Notes (Backup Manager)
  
• Debian Bug report logs - #439392 backup-manager: password disclosure in backup u (Micha Lenk)
  
• Vendor Homepage (Backup Manager)