Henri Salo | 13 Jun 22:08 2010
Picon

CVE request - pyftpd default username and password vulnerability

File /etc/pyftpd/auth_db_config.py contains:

passwd = [('test', 'test', 'CY9rzUYh03PK3k6DJie09g=='),
 ('user', 'users', '7hHLsZBS5AsHqsDKBgwj7g=='),
 ('roxon', 'users', 'ItZ2pB7rPmzFV6hrtdnZ7A==')]

These accounts can be used to login to the FTP-server and read
arbitrary files and list directories. File perm_acl_config.py lists
user permissions.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585776

This affects version: 0.8.4

Can I have CVE-identifier for this issue?

---
Henri Salo

Josh Bressers | 14 Jun 21:35 2010
Picon

Re: CVE request - pyftpd default username and password vulnerability

Please use CVE-2010-2073 for this.

Thanks.

-- 
    JB

----- "Henri Salo" <henri@...> wrote:

> File /etc/pyftpd/auth_db_config.py contains:
> 
> passwd = [('test', 'test', 'CY9rzUYh03PK3k6DJie09g=='),
>  ('user', 'users', '7hHLsZBS5AsHqsDKBgwj7g=='),
>  ('roxon', 'users', 'ItZ2pB7rPmzFV6hrtdnZ7A==')]
> 
> These accounts can be used to login to the FTP-server and read
> arbitrary files and list directories. File perm_acl_config.py lists
> user permissions.
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585776
> 
> This affects version: 0.8.4
> 
> Can I have CVE-identifier for this issue?
> 
> ---
> Henri Salo


Gmane