PT-2010-3684 · Pyftpd · Pyftpd
Henri Salo
·
Published
2010-06-16
·
Updated
2024-02-13
·
CVE-2010-2073
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Pyftpd version 0.8.4
Description
The issue concerns hard-coded usernames and passwords in the auth db config.py file for the test, user, and roxon accounts. This allows remote attackers to read arbitrary files from the FTP server.
Recommendations
For Pyftpd version 0.8.4, consider removing or modifying the hard-coded usernames and passwords in the auth db config.py file to prevent unauthorized access. As a temporary workaround, restrict access to the FTP server until the issue is resolved.
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pyftpd