Re: FTGate vulnerability. (fwd)

[ah () SECURITYFOCUS COM (Alfred Huger)]

Alfred Huger
VP of Operations
Security Focus

---------- Forwarded message ----------
Date: Thu, 11 Nov 1999 00:21:46 -0000
From: Dom De Vitto <dom () devitto com>
To: Alfred Huger <ah () securityfocus com>
Cc: vuldb () securityfocus com
Subject: RE: FTGate vulnerability.

> Dom,
> I am not sure if anyone has responded to you yet, if not, please let me
> apologize, we are pretty busy here right now.

Yea, I know busy, things fall through cracks all the time at my current
contract, but they live with it and it's accepted....

> I will take your notes into the description. Two questions, one do you
> want me to add your name to the credit list, I like to do this but some
> people get a little leary of it. Two, can I fwd this to Bugtraq?

1) I'm easy about getting credit, so if you want to credit me, that's fine.
2) I already sent this to _NT_Bugtraq, but I think my new (non list-reg'd address)
   confused the listbot, so I sent it direct to Russ too - no response as yet :(
   But feel free to redistribute anything I've written to anywhere.

I'm one of the founders and moderators of comp.lang.c++.moderated, so
I've had to make sure what I say is "suitable for public consumption",
even if it's to private parties - assuming anyone can define 'private'
nowadays...:(

Thanks, and keep up the good work!
Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto
Secure Technologies Ltd.                           Mob. 07971 589 201
mailto:dom () devitto com                             Tel. 01202 738 767
http://www.devitto.com                             Fax. 08700 548 750
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-----Original Message-----
From: Alfred Huger [mailto:ah () securityfocus com]
Sent: Wednesday, November 10, 1999 8:43 PM
To: Dom De Vitto
Cc: vuldb () securityfocus com
Subject: Re: FTGate vulnerability.

Dom,

I am not sure if anyone has responded to you yet, if not, please let me
apologize, we are pretty busy here right now.

I will take your notes into the description. Two questions, one do you
want me to add your name to the credit list, I like to do this but some
people get a little leary of it. Two, can I fwd this to Bugtraq?

Nov 1999, Dom De Vitto wrote:

> Ref:
> http://www.securityfocus.com/level2/?go=vulnerabilities&id=548
>
> This problem was fixed in the next release v2.2, a long time ago.
> The SEVENTH v2.2 service release was released over a month ago, so this
> bug only effects very old FTGate installations.
>
> To solve this problem either upgrade your copy of FTGate to the current
> release (for free), or only bind the web interface to 'trusted' interfaces.
>
> I also think the USSR labs have taken unjustified credit for a bug
> discovered and fixed a long time ago by others - quite possibly by
> examining the 'bug fixed' list for the v2.2 release....
>
> The real "impact" of this is that anyone is likely to be able to read
> anyone email, including incoming/outgoing mail.  POP passwords are also
> available for those with *any* hacking skills at all...
>
> Dom
> PS. I have no relation to FTGate other than being a happy, freeware
> user - & I'm running the "vulnerable" v2.1, but have always only bound
> the web server to 127.0.0.1...
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Dom De Vitto
> Secure Technologies Ltd.                           Mob. 07971 589 201
> mailto:dom () devitto com                             Tel. 01202 738 767
> http://www.devitto.com                             Fax. 08700 548 750
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Alfred Huger
VP of Operations
Security Focus

<!-- attachment="bin0a12020" -->
<HR>
<UL>
<LI>TEXT/X-VCARD attachment: stored
</UL>