CVE-2001-1111
CVSS4.6
发布时间 :2001-09-12 00:00:00
修订时间 :2008-09-05 16:25:43
NMCOS    

[原文]EFTP 2.0.7.337 stores user passwords in plaintext in the eftp2users.dat file.


[CNNVD]EFTP存储明文密码漏洞(CNNVD-200109-046)

        EFTP 2.0.7.337版本在eftp2users.dat文件中的plaintext中存储用户密码。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1111
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1111
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200109-046
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/7116.php
(VENDOR_ADVISORY)  XF  eftp-plaintext-password(7116)
http://www.securityfocus.com/bid/3332
(VENDOR_ADVISORY)  BID  3332
http://www.securityfocus.com/archive/1/213647
(VENDOR_ADVISORY)  BUGTRAQ  20010912 EFTP Version 2.0.7.337 vulnerabilities

- 漏洞信息

EFTP存储明文密码漏洞
中危 设计错误
2001-09-12 00:00:00 2005-10-20 00:00:00
本地  
        EFTP 2.0.7.337版本在eftp2users.dat文件中的plaintext中存储用户密码。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息

4093
EFTP eftp2users.dat Passwords Stored in Cleartext
Remote / Network Access Cryptographic, Information Disclosure
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

EFTP contains a flaw that may allow a local or remote attacker to gain the passwords of every FTP user. The issue is due to the program not using encryption when storing user passwords in the \Program Files\eftp2\eftp2users.dat file.

- 时间线

2001-09-12 Unknow
2001-09-12 Unknow

- 解决方案

Upgrade to version 3.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

EFTP Clear Text Password Storage Vulnerability
Design Error 3332
No Yes
2001-09-12 12:00:00 2009-07-11 07:56:00
This vulnerability was posted to BugTraq by ByteRage <byterage@yahoo.com>.

- 受影响的程序版本

Khamil Landross and Zack Jones EFTP 2.0.7 .337
+ Cisco iCDN 2.0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0

- 漏洞讨论

Encrypted FTP (EFTP) is both an FTP client and server application for Windows platforms.

EFTP stores all usernames and passwords in the file \Program Files\eftp2\eftp2users.dat in clear text. If a malicious user were to gain access to this file, they would have a list of all usernames and their associated passwords.

- 漏洞利用

There is no exploit code required to take advantage of this vulnerability.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站