iChain Security concern with Mini FTP Server Administration and path disclosure

  • 10096886
  • NOVL101284
  • 08-Mar-2005
  • 11-Mar-2005

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.

Fact

iChain 2.3

iChain 2.2

iChain 2.3 Support Pack 2 applied (ic23sp2.exe)

Mini FTP server enabled on iChain

No access control for iChain GUI management in place

Symptom

iChain Security concern with Mini FTP Server Administration and path disclosure

Can view iChain FTP server path without authenticating

Can execute the FTP PWD command without authentication

Fix

Defect entered on this. It is low priority because the FTP directory is documented in the iChain 23 documentation anyway.

Note

Thanks to Francisco Amato for notifying Novell of this issue.

Francisco Amato
Infobyte Security Research
www.infobyte.com.ar