Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 13 Jun 2010 23:08:30 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com, "Steven M. Christey"
 <coley@...us.mitre.org>
Subject: CVE request - pyftpd default username and password vulnerability

File /etc/pyftpd/auth_db_config.py contains:

passwd = [('test', 'test', 'CY9rzUYh03PK3k6DJie09g=='),
 ('user', 'users', '7hHLsZBS5AsHqsDKBgwj7g=='),
 ('roxon', 'users', 'ItZ2pB7rPmzFV6hrtdnZ7A==')]

These accounts can be used to login to the FTP-server and read
arbitrary files and list directories. File perm_acl_config.py lists
user permissions.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585776

This affects version: 0.8.4

Can I have CVE-identifier for this issue?

---
Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ