CesarFTP settings.ini Authentication Credential Plaintext Disclosure

low Nessus Plugin ID 11640

Synopsis

The remote FTP server is storing unencrypted passwords on disk.

Description

The remote host is running CesarFTP.

Due to a design flaw in the program, the plaintext usernames and passwords of FTP users are stored in the file 'settings.ini'. Any user with an account on this host may read this file and use the password to connect to this FTP server.

Solution

There is no known solution at this time.

See Also

https://seclists.org/bugtraq/2001/May/248

https://seclists.org/bugtraq/2003/May/211

Plugin Details

Severity: Low

ID: 11640

File Name: cesarftp_passwd.nasl

Version: 1.20

Type: local

Agent: windows

Family: Windows

Published: 5/20/2003

Updated: 11/15/2018

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Low

Base Score: 2.1

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:aclogic:cesarftp

Required KB Items: SMB/Registry/Enumerated

Vulnerability Publication Date: 5/28/2001

Reference Information

CVE: CVE-2001-1336, CVE-2003-0329