[12529] in bugtraq
Re: FTGate vulnerability. (fwd)
daemon@ATHENA.MIT.EDU (Alfred Huger)
Thu Nov 11 12:56:31 1999
Mime-Version: 1.0
Content-Type: MULTIPART/Mixed;
BOUNDARY="----=_NextPart_000_000F_01BF2BDA.BD5396A0"
Content-Id: <Pine.GSO.4.10.9911101803211.13415@www.securityfocus.com>
Message-Id: <Pine.GSO.4.10.9911101803210.13415-200000@www.securityfocus.com>
Date: Wed, 10 Nov 1999 18:03:26 -0800
Reply-To: Alfred Huger <ah@SECURITYFOCUS.COM>
From: Alfred Huger <ah@SECURITYFOCUS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
------=_NextPart_000_000F_01BF2BDA.BD5396A0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.GSO.4.10.9911101803212.13415@www.securityfocus.com>
Alfred Huger
VP of Operations
Security Focus
---------- Forwarded message ----------
Date: Thu, 11 Nov 1999 00:21:46 -0000
From: Dom De Vitto <dom@devitto.com>
To: Alfred Huger <ah@securityfocus.com>
Cc: vuldb@securityfocus.com
Subject: RE: FTGate vulnerability.
> Dom,
> I am not sure if anyone has responded to you yet, if not, please let me
> apologize, we are pretty busy here right now.
Yea, I know busy, things fall through cracks all the time at my current
contract, but they live with it and it's accepted....
> I will take your notes into the description. Two questions, one do you
> want me to add your name to the credit list, I like to do this but some
> people get a little leary of it. Two, can I fwd this to Bugtraq?
1) I'm easy about getting credit, so if you want to credit me, that's fine.
2) I already sent this to _NT_Bugtraq, but I think my new (non list-reg'd address)
confused the listbot, so I sent it direct to Russ too - no response as yet :(
But feel free to redistribute anything I've written to anywhere.
I'm one of the founders and moderators of comp.lang.c++.moderated, so
I've had to make sure what I say is "suitable for public consumption",
even if it's to private parties - assuming anyone can define 'private'
nowadays... :(
Thanks, and keep up the good work!
Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto
Secure Technologies Ltd. Mob. 07971 589 201
mailto:dom@devitto.com Tel. 01202 738 767
http://www.devitto.com Fax. 08700 548 750
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-----Original Message-----
From: Alfred Huger [mailto:ah@securityfocus.com]
Sent: Wednesday, November 10, 1999 8:43 PM
To: Dom De Vitto
Cc: vuldb@securityfocus.com
Subject: Re: FTGate vulnerability.
Dom,
I am not sure if anyone has responded to you yet, if not, please let me
apologize, we are pretty busy here right now.
I will take your notes into the description. Two questions, one do you
want me to add your name to the credit list, I like to do this but some
people get a little leary of it. Two, can I fwd this to Bugtraq?
Nov 1999, Dom De Vitto wrote:
> Ref:
> http://www.securityfocus.com/level2/?go=vulnerabilities&id=548
>
> This problem was fixed in the next release v2.2, a long time ago.
> The SEVENTH v2.2 service release was released over a month ago, so this
> bug only effects very old FTGate installations.
>
> To solve this problem either upgrade your copy of FTGate to the current
> release (for free), or only bind the web interface to 'trusted' interfaces.
>
> I also think the USSR labs have taken unjustified credit for a bug
> discovered and fixed a long time ago by others - quite possibly by
> examining the 'bug fixed' list for the v2.2 release....
>
> The real "impact" of this is that anyone is likely to be able to read
> anyone email, including incoming/outgoing mail. POP passwords are also
> available for those with *any* hacking skills at all...
>
> Dom
> PS. I have no relation to FTGate other than being a happy, freeware
> user - & I'm running the "vulnerable" v2.1, but have always only bound
> the web server to 127.0.0.1...
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Dom De Vitto
> Secure Technologies Ltd. Mob. 07971 589 201
> mailto:dom@devitto.com Tel. 01202 738 767
> http://www.devitto.com Fax. 08700 548 750
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
Alfred Huger
VP of Operations
Security Focus
------=_NextPart_000_000F_01BF2BDA.BD5396A0
Content-Type: TEXT/X-VCARD; NAME="Domenico De Vitto.vcf"
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <Pine.GSO.4.10.9911101803213.13415@www.securityfocus.com>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME="Domenico De Vitto.vcf"
BEGIN:VCARD
VERSION:2.1
N:De Vitto;Domenico
FN:Domenico De Vitto
NICKNAME:Dom
ORG:Secure Technologies Ltd.
TITLE:Director
TEL;WORK;VOICE:0797 1589 201
TEL;WORK;VOICE:01202 738 767
TEL;HOME;VOICE:01202 738 767
TEL;CELL;VOICE:0797 1589 201
TEL;WORK;FAX:0870 054 87 50
TEL;HOME;FAX:0870 054 87 50
TEL;HOME:0797 1589 201
ADR;WORK:;34 Farwell Road, Poole, Dorset. BH12 4PN. England.;34 Farwell =
Road,;Poole.;Dorset.;BH12 4PN;United Kingdom
LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:34 Farwell Road, Poole, Dorset. =
BH12 4PN. England.=3D0D=3D0A34 Farwell Road,=3D0D=3D
=3D0APoole., Dorset. BH12 4PN=3D0D=3D0AUnited Kingdom
ADR;HOME:;;34 Farwell Road,;Poole.;Dorset.;BH12 4PN;United Kingdom
LABEL;HOME;ENCODING=3DQUOTED-PRINTABLE:34 Farwell Road,=3D0D=3D0APoole., =
Dorset. BH12 4PN=3D0D=3D0AUnited Kingdom
X-WAB-GENDER:2
URL:
URL:http://www.devitto.com
ROLE:General Technological Mischief
BDAY:19721016
EMAIL;PREF;INTERNET:dom@devitto.com
EMAIL;INTERNET:dom@devitto.demon.co.uk
EMAIL;INTERNET:dom@playful.com
REV:19990904T234548Z
END:VCARD
------=_NextPart_000_000F_01BF2BDA.BD5396A0--
