Data Wizard Technologies FtpXQ FTP Server Default Configuration Lets Remote Users Access the C:\ Drive - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (File Transfer/Sharing) > FtpXQ

Vendors: DataWizard Technologies

Data Wizard Technologies FtpXQ FTP Server Default Configuration Lets Remote Users Access the C:\ Drive

SecurityTracker Alert ID: 1003011

SecurityTracker URL: http://securitytracker.com/id/1003011

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Dec 19 2001

Impact: Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information

Fix Available: Yes Vendor Confirmed: Yes

Description: A default configuration vulnerability was reported in the Data Wizard FtpXQ FTP server. A remote user can read and write files on the C: drive.

It is reported that the default installation of the FtpXQ server gives anonymous users read/write access to the C: drive. In addition, a test account is created with the common username and password of "test". This test account also has read/write access to the C: drive.

Impact: In the default configuration, a remote user can read and write to the C: drive without requiring authentication.

Solution: The vendor plans to issue a fixed version that will ensure that, as a default configuration, anonymous users have read-only access. Furthermore, the installation process will display a note explicitly informing the administrator of the default account settings.

Vendor URL: www.datawizard.net/Support/FtpXQ/ftpxq.htm (Links to External Site)

Cause: Configuration error

Underlying OS: Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History: None.

Source Message Contents

Date: Tue, 18 Dec 2001 22:58:02 -0500
Subject: FTPXQ default install read/write capabilities


FTPXQ default install read/write capabilities
by Brice Carlson


****
System
****
ftpXQ by www.datawizard.net

****
Problem
****
Upon default setup. Through anonymous and through the user name and pass of 
test you have read/write capabilities to drive c:

****
Vendor Notification Date.
****

December 4, 2001

****
Vendor Response to email.
****

Hi Brice, Yes, those IDs are configured by default to have access for the 
C:\ drive for the purpose of an administrator testing the server. We assume 
that every responsible administrator will run the server first in a test 
environment, and not in a production setting, or on an IP that is exposed to 
the internet. Administrators should obviously change the access for both of 
these accounts and/or change the User IDs before putting it into a 
production environment. As a result of your email however, we will change 
the default access for the anonymous user to be read only, as well as post a 
message at the end of the install noting the default access for the test 
users. Sincerely, Rahim

Rahim Mawji Director,
Applications Development
DataWizard Technologies
Phone: (416) 385-9741, x1013
Fax: (416) 385-9784
rmawji@datawizard.net www.datawizard.net

---end vendor response

****
Enough Said!
****


-- Brice Carlson
-- tuck167@hotmail.com

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC