Home page logo

bugtraq logo Bugtraq mailing list archives

FlashFXP 1.4 Local Password Disclosure Vulnerability
From: "Blud Clot" <bludclot () hellokitty com>
Date: Tue, 22 Oct 2002 16:24:48 -0500

Description: Local users may be able to view passwords for ftp sites.

Versions affected: This was discovered on FlashFXP 1.4 (build 800). It is likely, but not tested, that any version 1.x 
is vulnerable. FlashFXP 2.x is not vulnerable.

Vendor Contacted: E-mailed CEDsoft on 8/31/02. They responded within hours and informed me that they had already known 
about this vulnerability and that their publicly available beta version already had it fixed.

Details: When passwords are entered into FlashFXP they are generally echoed with asterisks, but there is an exception. 
When there are transfers in the queue the password is visible in cleartext by editing the queue properties.

Solution: Upgrade to the latest version.

Personal Note: I was very impressed with their response time and commitment to security.

Get your own Hello Kitty email @ www.sanriotown.com

Powered by Outblaze

  By Date           By Thread  

Current thread:
  • FlashFXP 1.4 Local Password Disclosure Vulnerability Blud Clot (Oct 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]