[13100] in bugtraq
FTPPro insecuities
daemon@ATHENA.MIT.EDU (The Wall)
Mon Dec 27 14:25:11 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9912270855530.13115-100000@7of9.neohapsis.com>
Date: Mon, 27 Dec 1999 10:27:41 -0600
Reply-To: The Wall <the-wall@WIRETRIP.NET>
From: The Wall <the-wall@WIRETRIP.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
FTPPro v.7.5
FTPPro stores credit card information in multiple locations, unprotected,
and in plain text.
The program consists of 2 files, FTPPro20.exe and FTPPro20.hlp. These
files do not require their directory to be in the working %PATH%
statement.
When the program initializes for the first time, it creates a key in the
registry:
\HKEY_LOCAL_MACHINE\SOFTWARE\FTPPro98c
This key is set with the following permissions:
Administrator (Full Control)
Creator Owner (Full Control)
Everyone (Special Access - Query Value
Set Value
Create Subkey
Enumerate Subkeys
Notify
Delete
Read Control)
System (Full Control)
The primary purpose of this key is not to store any real program related
information, but to store license and registration information. Among the
keys and their data are:
Credit Card #
Credit Card Expiration Date
Credit Card type (VISA, MC, etc.)
Name, Address, City, State, Zip, Phone
The program will not submit the registration information until all of the
above information (and more) is provided. All of this information is
stored in the registry unprotected. The only relevant program information
stored under this key is the program version and the "LastRunDate".
In addition to entering all of the above data into the registry, the
program provides a "Register Offline" option. This option will create a
text file called "Register.txt" in the program working directory
containing all of the above information in clear text.
Sabine Consulting, the program distributors, have been notified.
