Cerberus FTP Server Discloses Existence of User Accounts to Remote Users
|
|
SecurityTracker Alert ID: 1006605 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 20 2003
|
Impact: Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 2.1
|
Description: An information disclosure vulnerability was reported in the Cerberus FTP Server. A remote user can determine if specified user accounts exist on the system.
During the authentication process, the FTP server reportedly indicates whether a user-supplied username is valid or not. A remote
user can exploit this to determine valid usernames and then attempt to guess the passwords for those accounts.
|
Impact: The system indicates to remote users whether or not the specified user account name is valid or not.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.cerberusftp.com/ (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 19 Apr 2003 20:05:14 -0400
Subject: Cerberus FTP Server Bug
|
SecurityFocus reported an information disclosure vulnerability in Cerberus FTP Server
version 2.1, crediting discover to to "Ziv Kamir" <vulncode@yahoo.com>, but not indic
ating
where the report was posted [it had not been posted to Bugtraq at the time of this entry].
During the authentication process, the FTP server reportedly indicates whether a
user-supplied username is valid or not.
Vendor URL: http://www.cerberusftp.com/index.html
|
|
