[原文]The remote administration client for RhinoSoft Serv-U 3.0 sends the user password in plaintext even when S/KEY One-Time Password (OTP) authentication is enabled, which allows remote attackers to sniff passwords.
Serv-U FTP Server Persistent Cleartext Password Transmission
Remote / Network Access
Loss of Confidentiality
The Serv-U FTP server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the server is configured to use S/KEY one-time password (OTP) authentication. An administrative client may ignore the S/KEY OTP challenge and instead transmit the password in cleartext, which will disclose authentication information resulting in a loss of confidentiality.
Upgrade to version 3.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.