|
|
>> Total Commander "WCX_FTP.INI" Information Disclosure Vulnerability
|
Title : Total Commander "WCX_FTP.INI" Information Disclosure Vulnerability
VUPEN ID : VUPEN/ADV-2005-2780
CVE ID : CVE-2005-4066
Rated as : Low Risk 
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2005-12-07
|
A vulnerability has been identified in Total Commander, which could be exploited by local attackers to gain knowledge of sensitive information. This flaw is due to a design error where a weak password encryption mechanism is used to store FTP account information in the "WCX_FTP.INI" file, which could be exploited by malicious users to obtain FTP usernames and passwords.
Note : The W32.Gudeb worm exploits this vulnerability to gather valid FTP accounts.
Affected Products
Total Commander version 6.53 and prior
Solution
VUPEN Security is not aware of any vendor-supplied patch.
References
http://www.vupen.com/english/advisories/2005/2780
http://www.networksecurity.fi/advisories/total-commander.html
Credits
Vulnerability reported by Juha-Matti Laurio
ChangeLog
2005-12-07 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
