FlashFXP 1.4 Local Password Disclosure Vulnerability

["Blud Clot" <bludclot () hellokitty com>]

Description: Local users may be able to view passwords for ftp sites.

Versions affected: This was discovered on FlashFXP 1.4 (build 800). It is likely, but not tested, that any version 1.x 
is vulnerable. FlashFXP 2.x is not vulnerable.

Vendor Contacted: E-mailed CEDsoft on 8/31/02. They responded within hours and informed me that they had already known 
about this vulnerability and that their publicly available beta version already had it fixed.

Details: When passwords are entered into FlashFXP they are generally echoed with asterisks, but there is an exception. 
When there are transfers in the queue the password is visible in cleartext by editing the queue properties.

Solution: Upgrade to the latest version.

Personal Note: I was very impressed with their response time and commitment to security.

-BludClot
-- 
____________________________________________________
Get your own Hello Kitty email @ www.sanriotown.com

Powered by Outblaze