ProFTPD Auth API State Error May Let Remote Users Access the System in Certain Cases
|
|
SecurityTracker Alert ID: 1017931 |
|
SecurityTracker URL: http://securitytracker.com/id/1017931
|
|
CVE Reference:
CVE-2007-2165
(Links to External Site)
|
Updated: Jun 21 2007
|
Original Entry Date: Apr 18 2007
|
Impact:
User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.3.1rc2 and prior versions
|
Description:
A vulnerability was reported in ProFTPD. A remote user may be able to access the target service in certain cases.
When the system is configured with multiple simultaneous authentication modules, the ProFTPD Auth API may accept user data from one module while a different module authenticates the user. If any of the auth modules have different authentication policies, this may allow the remote user to bypass authentication.
The original report is available at:
http://bugs.proftpd.org/show_bug.cgi?id=2922
Evgeni Golov reported this vulnerability.
|
Impact:
A remote user may be able to access the server without proper authentication credentials.
|
Solution:
A fix is available via CVS.
|
Vendor URL: www.proftpd.org/ (Links to External Site)
|
Cause:
State error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 18 Apr 2007 07:40:39 -0400
Subject: ProFTPD
|
http://bugs.proftpd.org/show_bug.cgi?id=2922
|
|
