Executive Summary
| Summary | |
|---|---|
| Title | New gftp packages won't display the password |
| Informations | |||
|---|---|---|---|
| Name | DSA-084 | First vendor Publication | 2001-10-18 |
| Vendor | Debian | Last vendor Modification | 2001-10-18 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 4.6 | Attack Range | Local |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 3.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Stephane Gaudreault told us that version 2.0.6a of gftp displays the password in plain text on the screen within the log window when it is logging into an ftp server. A malicious collegue who is watching the screen could gain access to the users shell on the remote machine. This problem has been fixed by the Security Team in version 2.0.6a-3.2 for the stable Debian GNU/Linux 2.2. We recommend that you upgrade your gftp package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato |
Original Source
| Url : http://www.debian.org/security/2001/dsa-084 |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 084-1 (gftp) File : nvt/deb_084_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 13564 | gFTP FTP Client Cleartext Password Disclosure gFTP contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the password is displayed in plaintext during login or stored in the log file when logging is enabled occurs, which will disclose a user's password information resulting in a loss of confidentiality. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-084.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:25:29 |
|
