mailing list archives
FlashFXP 1.4 Local Password Disclosure Vulnerability
From: "Blud Clot" <bludclot () hellokitty com>
Date: Tue, 22 Oct 2002 16:24:48 -0500
Description: Local users may be able to view passwords for ftp sites.
Versions affected: This was discovered on FlashFXP 1.4 (build 800). It is likely, but not tested, that any version 1.x
is vulnerable. FlashFXP 2.x is not vulnerable.
Vendor Contacted: E-mailed CEDsoft on 8/31/02. They responded within hours and informed me that they had already known
about this vulnerability and that their publicly available beta version already had it fixed.
Details: When passwords are entered into FlashFXP they are generally echoed with asterisks, but there is an exception.
When there are transfers in the queue the password is visible in cleartext by editing the queue properties.
Solution: Upgrade to the latest version.
Personal Note: I was very impressed with their response time and commitment to security.
Get your own Hello Kitty email @ www.sanriotown.com
Powered by Outblaze
- FlashFXP 1.4 Local Password Disclosure Vulnerability Blud Clot (Oct 22)