Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

FTPPro insecuities

From: the-wall () WIRETRIP NET (The Wall)
Date: Mon, 27 Dec 1999 10:27:41 -0600

FTPPro v.7.5

FTPPro stores credit card information in multiple locations, unprotected,
and in plain text.

The program consists of 2 files, FTPPro20.exe and  FTPPro20.hlp.  These
files do not require their directory to be in the working %PATH%
statement.

When the program initializes for the first time, it creates a key in the
registry:

\HKEY_LOCAL_MACHINE\SOFTWARE\FTPPro98c

This key is set with the following permissions:

Administrator   (Full Control)
Creator Owner   (Full Control)
Everyone        (Special Access - Query Value
                                  Set Value
                                  Create Subkey
                                  Enumerate Subkeys
                                  Notify
                                  Delete
                                  Read Control)
System          (Full Control)

The primary purpose of this key is not to store any real program related
information, but to store license and registration information.  Among the
keys and their data are:

Credit Card #
Credit Card Expiration Date
Credit Card type (VISA, MC, etc.)
Name, Address, City, State, Zip, Phone

The program will not submit the registration information until all of the
above information (and more) is provided.  All of this information is
stored in the registry unprotected.  The only relevant program information
stored under this key is the program version and the "LastRunDate".

In addition to entering all of the above data into the registry, the
program provides a "Register Offline" option.  This option will create a
text file called "Register.txt" in the program working directory
containing all of the above information in clear text.

Sabine Consulting, the program distributors, have been notified.
Previous By Date Next
Previous By Thread Next

Current thread: