RhinoSoft Serv-U FTP Server transmits passwords in plaintext during authentication
| servu-ftp-plaintext-password (7925) |  Medium Risk |
Description:
RhinoSoft Serv-U transmits the password in plaintext during the authentication process, if a user with administrative privileges attempts to log on using the S/KEY one-time password (OTP) authentication from a remote administrative client. A remote attacker using a sniffing tool could exploit this vulnerability to obtain the administrative users passwords.
Consequences:
Gain Access
Remedy:
Upgrade to the latest version of Serv-U (3.1 or later), available from the RhinoSoft Web site. See References.
References:
- RhinoSoft Web site: Serv-Uż 3.1 is Released!.
- CVE-2001-1463: The remote administration client for RhinoSoft Serv-U 3.0 sends the user password in plaintext even when S/KEY One-Time Password (OTP) authentication is enabled, which allows remote attackers to sniff passwords.
- SECTRACK ID: 1002882: RhinoSoft FTP Serv-U Remote Administration Client Discloses Administrator Passwords When Using S/KEY One-Time Passwords
- US-CERT VU#279763: RhinoSoft Serv-U remote administration client transmits password in plaintext
Platforms Affected:
- Rhino Software Serv-U FTP Server 3.0
Reported:
Nov 19, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net