Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (File Transfer/Sharing)  >   Secure FTP Applet Vendors:   JSCAPE
Secure FTP Applet Does Not Verify SSH Server Host Keys
SecurityTracker Alert ID:  1020346
SecurityTracker URL:
CVE Reference:   CVE-2008-5124   (Links to External Site)
Updated:  Nov 19 2008
Original Entry Date:  Jun 23 2008
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 4.9.0
Description:   A vulnerability was reported in Secure FTP Applet. A remote user can conduct man-in-the-middle attacks.

The software does not verify the host key when the target user connects to the target server. A remote user can conduct a man-in-the-middle attack to monitor the connection between the target user and target server.

The vendor was notified on April 12, 2006.

Frank Dick and Thierry Zoller of n.runs AG reported this vulnerability.

Impact:   A remote user can conduct man-in-the-middle attacks to monitor the connection.
Solution:   The vendor has issued a fixed version (4.9.0).
Vendor URL: (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] n.runs-SA-2008.001 - Jscape Secure FTP Applet

n.runs AG


Vendor:             Jscape,
Affected Products:  Jscape Secure FTP Applet
Vulnerability:      SSH Host key is not verified allowing for Man in the
Risk:               High

JSCAPE software has been deployed in a wide array of industries including
aerospace, banking, communications, education, insurance, finance,
government and software. With customers in more than 50 countries worldwide
the following is a small sample of companies who use JSCAPE products and
services. Customers include Boeing, SUN, ISS, SAP - See for more details.

Secure FTP Applet is a secure FTP client component that runs within your web
browser. Secure FTP Applet [..] while encrypting all data exchanged between
the client and server using either the SFTP (FTP over SSH) or FTPS (FTP over
SSL) protocols [..] ensuring that all data exchanged is completely secure.

During the connection the Applet does not verify or display the host key. As
such n.runs was able to perform a man in the middle attack during a
penetration test at a client.
Read more about SSH Host verification:

The supposedly secure connection is no longer secure. n.runs was able to
extract login, password and data with a simple SSH Man in the Middle attack.

Upgrade to version 4.9.0 or above


Vendor communication:

  2006/04/12   n.runs sends a Vulnerability notice informing Jscape about
               nature of the problem and the impact. 
  2006/04/13   Jscape acknowledges and ask for more details
  2006/04/13   n.runs sends more details 
  2007/07/26   n.runs asks for feedback and if the problem has been patched
  2007/07/26   Jscape replies "We do not have a release date yet for this
  2007/07/26   n.runs asks whether they can offer a estimate when the patch
               will be available
  2007/07/26   Jscape answers again "We do not have a release date yet for
  2008/02/19   n.runs requests a statement to be used in the advisory as
               seems to be no intention to patch and argues "you deem this 
               problem as low yet it renders the *secure connection*
  2008/02/20   Jscape promises to "continue to look into this issue and
               you when a patch is available.      
  2008/02/25   n.runs notifies Jscape that an advisory will be released by
               end of the week if they do not patch the flaw n.runs reported

               roughly 2 years ago.
               "Given the long time this has already been reported
               and the criticality of this issue, I would expect a patch to
               ready by the end of the week. If the patch is not available
               the end of this week (29.02.2008) I'll proceed with the
  2008/02/29   Jscape notifies n.runs that the flaw has been patched
  2008/06/01   n.runs verifies the patch and confirms that Man in the Middle
               not longer possible if the user does not accept the new key. 
               n.runs however recommends that Jscape warns the users of the 
               security implications of a new SSH Host key rather then
               displaying "New Host key".

Vulnerability discovered by Frank Dick and Thierry Zoller of n.runs AG.

About n.runs
n.runs AG is a vendor-independent consulting company specialising in the
areas of: IT Infrastructure, IT Security and IT Business Consulting. In
2007, n.runs expanded its core business area, which until then had been
project based consulting, to include the development of high-end security
Application Protection System - Anti Virus (aps-AV) is the first high-end
security solution that n.runs is bringing to the market.

Advisories can be found at :

Copyright Notice
Unnaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded. In
no event shall n.runs be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if  n.runs has been advised of the possibility of such

Copyright n.runs AG. All rights reserved. Terms of use apply.


Subscribe to the n.runs newsletter to be informed of the latest threats and
tools by signing up to :

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC