SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   vsftpd Vendors:   Evans, Chris
vsftpd Discloses Whether Usernames are Valid or Not
SecurityTracker Alert ID:  1008628
SecurityTracker URL:  http://securitytracker.com/id/1008628
CVE Reference:   CVE-2004-0042   (Links to External Site)
Updated:  Jul 6 2008
Original Entry Date:  Jan 7 2004
Impact:   Disclosure of user information
Exploit Included:  Yes  
Version(s): 1.1.3
Description:   CyberTalon reported a vulnerability in vsftpd. A remote user can determine valid usernames on the FTP server.

In September 2003, it was reported that the system returns different information depending on whether a valid username or an invalid username is supplied. A remote user can determine valid FTP user account names.

According to the report, the system will respond with '530 Login incorrect' if a valid username and incorrect password is supplied but responds with '530 Permission denied' if an invalid username is provided.

Impact:   A remote user can determine whether a specified username is valid or not.
Solution:   No solution was available at the time of this entry.
Vendor URL:  vsftpd.beasts.org/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Zipped file of txt vulnerabilities


vsFTPd 1.1.3 Lets remote users know if the username they supply is right
                    Found by: CyberTalon

1. Problem
2. Exploit
3. Info

1. vsFTPd 1.1.3 lets remote users know if the username they supply is right or wrong.

2. Session with right username and wrong password:

220 (vsFTPd 1.1.3)
Name (host:name): rightusername
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed.
ftp>

Session with wrong username:

220 (vsFTPd 1.1.3)
Name (host:name): wrongusername
530 Permission denied.
ftp: Login failed.
ftp>

3. Vendor URL: Unknown

-CT

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC