|
|
|
|
| |
| acFTP is an OpenSource replacement for Microsoft FTP server and other proprietary FTP servers for Windows. Unlike MS FTP, acFTP supports extended FTP commands set, including APPE and REST for resuming broken uploads and downloads. Due to a flaw in the authentication code of acFTP, the server treats users as logged in even without them having a valid password. This results in mis-representation of server activity in log files, and possibly privilege elevation. |
| |
Credit:
The information has been provided by Matthew Murphy.
|
| |
Vulnerable systems:
* acFTP version 1.4
For example:
USER private
PASS #
This leads it to reject our password, but we can not log in with another set of credentials, and our log activity appears as "private" instead of the appropriate "-" or "***".
|
|
|
|
|
