SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (File Transfer/Sharing)  >   FtpXQ Vendors:   DataWizard Technologies
Data Wizard Technologies FtpXQ FTP Server Default Configuration Lets Remote Users Access the C:\ Drive
SecurityTracker Alert ID:  1003011
SecurityTracker URL:  http://securitytracker.com/id/1003011
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 19 2001
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A default configuration vulnerability was reported in the Data Wizard FtpXQ FTP server. A remote user can read and write files on the C: drive.

It is reported that the default installation of the FtpXQ server gives anonymous users read/write access to the C: drive. In addition, a test account is created with the common username and password of "test". This test account also has read/write access to the C: drive.

Impact:   In the default configuration, a remote user can read and write to the C: drive without requiring authentication.
Solution:   The vendor plans to issue a fixed version that will ensure that, as a default configuration, anonymous users have read-only access. Furthermore, the installation process will display a note explicitly informing the administrator of the default account settings.
Vendor URL:  www.datawizard.net/Support/FtpXQ/ftpxq.htm (Links to External Site)
Cause:   Configuration error
Underlying OS:   Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.


 Source Message Contents

Date:  Tue, 18 Dec 2001 22:58:02 -0500
Subject:  FTPXQ default install read/write capabilities


FTPXQ default install read/write capabilities
by Brice Carlson


****
System
****
ftpXQ by www.datawizard.net

****
Problem
****
Upon default setup. Through anonymous and through the user name and pass of 
test you have read/write capabilities to drive c:

****
Vendor Notification Date.
****

December 4, 2001

****
Vendor Response to email.
****

Hi Brice, Yes, those IDs are configured by default to have access for the 
C:\ drive for the purpose of an administrator testing the server. We assume 
that every responsible administrator will run the server first in a test 
environment, and not in a production setting, or on an IP that is exposed to 
the internet. Administrators should obviously change the access for both of 
these accounts and/or change the User IDs before putting it into a 
production environment. As a result of your email however, we will change 
the default access for the anonymous user to be read only, as well as post a 
message at the end of the install noting the default access for the test 
users. Sincerely, Rahim

Rahim Mawji Director,
Applications Development
DataWizard Technologies
Phone: (416) 385-9741, x1013
Fax: (416) 385-9784
rmawji@datawizard.net www.datawizard.net

---end vendor response

****
Enough Said!
****


-- Brice Carlson
-- tuck167@hotmail.com

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC