CVE-2007-2165

Sažetak

The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.

Reference

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419255
http://bugs.proftpd.org/show_bug.cgi?id=2922
http://osvdb.org/34602
http://secunia.com/advisories/24867
http://secunia.com/advisories/25724
http://secunia.com/advisories/27516
http://securitytracker.com/id?1017931
http://www.mandriva.com/security/advisories?name=MDKSA-2007:130
http://www.securityfocus.com/bid/23546
http://www.vupen.com/english/advisories/2007/1444
https://bugzilla.redhat.com/show_bug.cgi?id=237533
https://exchange.xforce.ibmcloud.com/vulnerabilities/33733
https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00065.html

CVSS

Base:	5.1
Impact:	6.4
Exploitability:	4.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	HIGH	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:H/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

29-07-2017 - 01:31

Objavljeno

22-04-2007 - 19:19