oss-sec mailing list archives

Re: CVE request - pyftpd default username and password vulnerability

From: Josh Bressers <bressers () redhat com>
Date: Mon, 14 Jun 2010 15:35:48 -0400 (EDT)

Please use CVE-2010-2073 for this.

Thanks.

-- 
    JB


----- "Henri Salo" <henri () nerv fi> wrote:

File /etc/pyftpd/auth_db_config.py contains:

passwd = [('test', 'test', 'CY9rzUYh03PK3k6DJie09g=='),
 ('user', 'users', '7hHLsZBS5AsHqsDKBgwj7g=='),
 ('roxon', 'users', 'ItZ2pB7rPmzFV6hrtdnZ7A==')]

These accounts can be used to login to the FTP-server and read
arbitrary files and list directories. File perm_acl_config.py lists
user permissions.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585776

This affects version: 0.8.4

Can I have CVE-identifier for this issue?

---
Henri Salo

Current thread:

CVE request - pyftpd default username and password vulnerability Henri Salo (Jun 13)
- Re: CVE request - pyftpd default username and password vulnerability Josh Bressers (Jun 14)