Bugtraq mailing list archives
Re: FTGate vulnerability. (fwd)
From: ah () SECURITYFOCUS COM (Alfred Huger)
Date: Wed, 10 Nov 1999 18:03:26 -0800
Alfred Huger VP of Operations Security Focus ---------- Forwarded message ---------- Date: Thu, 11 Nov 1999 00:21:46 -0000 From: Dom De Vitto <dom () devitto com> To: Alfred Huger <ah () securityfocus com> Cc: vuldb () securityfocus com Subject: RE: FTGate vulnerability.
Dom, I am not sure if anyone has responded to you yet, if not, please let me apologize, we are pretty busy here right now.
Yea, I know busy, things fall through cracks all the time at my current contract, but they live with it and it's accepted....
I will take your notes into the description. Two questions, one do you want me to add your name to the credit list, I like to do this but some people get a little leary of it. Two, can I fwd this to Bugtraq?
1) I'm easy about getting credit, so if you want to credit me, that's fine. 2) I already sent this to _NT_Bugtraq, but I think my new (non list-reg'd address) confused the listbot, so I sent it direct to Russ too - no response as yet :( But feel free to redistribute anything I've written to anywhere. I'm one of the founders and moderators of comp.lang.c++.moderated, so I've had to make sure what I say is "suitable for public consumption", even if it's to private parties - assuming anyone can define 'private' nowadays...:( Thanks, and keep up the good work! Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Secure Technologies Ltd. Mob. 07971 589 201 mailto:dom () devitto com Tel. 01202 738 767 http://www.devitto.com Fax. 08700 548 750 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -----Original Message----- From: Alfred Huger [mailto:ah () securityfocus com] Sent: Wednesday, November 10, 1999 8:43 PM To: Dom De Vitto Cc: vuldb () securityfocus com Subject: Re: FTGate vulnerability. Dom, I am not sure if anyone has responded to you yet, if not, please let me apologize, we are pretty busy here right now. I will take your notes into the description. Two questions, one do you want me to add your name to the credit list, I like to do this but some people get a little leary of it. Two, can I fwd this to Bugtraq? Nov 1999, Dom De Vitto wrote:
Ref: http://www.securityfocus.com/level2/?go=vulnerabilities&id=548 This problem was fixed in the next release v2.2, a long time ago. The SEVENTH v2.2 service release was released over a month ago, so this bug only effects very old FTGate installations. To solve this problem either upgrade your copy of FTGate to the current release (for free), or only bind the web interface to 'trusted' interfaces. I also think the USSR labs have taken unjustified credit for a bug discovered and fixed a long time ago by others - quite possibly by examining the 'bug fixed' list for the v2.2 release.... The real "impact" of this is that anyone is likely to be able to read anyone email, including incoming/outgoing mail. POP passwords are also available for those with *any* hacking skills at all... Dom PS. I have no relation to FTGate other than being a happy, freeware user - & I'm running the "vulnerable" v2.1, but have always only bound the web server to 127.0.0.1... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Secure Technologies Ltd. Mob. 07971 589 201 mailto:dom () devitto com Tel. 01202 738 767 http://www.devitto.com Fax. 08700 548 750 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Alfred Huger VP of Operations Security Focus <!-- attachment="bin0a12020" --> <HR> <UL> <LI>TEXT/X-VCARD attachment: stored </UL>
Current thread:
- Re: FTGate vulnerability. (fwd) Alfred Huger (Nov 10)