[原文]InstantServers MiniPortal 1.1.5 and earlier stores sensitive login and account data in plaintext in (1) .pwd files in the miniportal/apache directory, or (2) mplog.txt, which could allow local users to gain privileges.
InstantServers MiniPortal is a web server package for Windows based machines, based on the Apache project web server. It includes a web based administrative interface, and a bundled FTP server.
MiniPortal stores user's authentication and user account information in the file ftpusers.pwd. Login and session information is stored in miniportal.txt or mplog.txt. Due to a design flaw both files are stored in plain text.
No exploit code required.
MiniPortal version 1.1.6 is not affected by this issue: