[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Broker FTP unauthorized directory browsing

Title: Broker FTP unauthorized directory browsing
Released by: 403-security
Date: 22nd November 2000
Printable version: Click here


403-SECURITY advisory



Issue: Broker FTP unauthorized directory browsing 

and plain text password storing

Author: Astral [astral@403-security.org]

Discovered: 07.11.2000

Published: 22.11.2000

Version: (others are probably vulnerable too)

Vendor: TransSoft

I. Description:

Broker FTP is powerful FTP server which runs on 

Windows platform, it is

possible to administer it trough Web browser.

II. Problem:

Broker FTP is vulnerable to two very dangerous 

attack. First one allows attacker

to browse servers whole disk while second one 

allows attacker to fetch passwords

and account information easily. 

Also in log files password is written (in plain-text, but 

it shouldn't be written 

in it anyway !?).

NOTE: We take no responsibility for damage caused 

by this example.

III. 1st problem

Anyone including anonymous can browse whole 

server disk, very simply.


Connected to

220 FTP Server ready [***]

User ( anonymous

331 Password required for anonymous.

Password: anything

230 User anonymous logged in.

ftp> ls x:\

where x is letter of hard drive you want to browse.

IV. 2nd problem

Administrator password is stored in %%WinDir%%

\BrokerProfiles.Dat in plain-text format 

(it could be ROT13 encrypted at least ;-) )

Other accounts and user information (rights, 

telephone, fax ...) are stored in

%%ProgramDir%%\Data\Users in following format:



login message|logoff message|Maximum transfer 


RIGHTS are stored in this format:


if x is 1 then user has access to that feature and if 

it 's 0 it doesn't.

1st number: User Can ZIP files on remote computer

2nd number: user can UNZIP files on remote server

3rd number: User can COPY files on remote server

4th number: User can EXECUTE files on remote 


5th number: User can CHANGE PASSWORD on 


6h number: User can DOWNLOAD files

7th number: User can Upload Files

8th number: User can CREATE DIRECTORIES

9th number: User can REMOVE DIRECTORIES

10th number: User can DELETE files

V. Fix

Vendor has issued a new version to fix this two 









{Vendor was extremely friendly and professional}

This advisory is RFPolicy

[http://www.wiretrip.net/rfp/policy.html] compatible

(C) 1999-2000 All rights reserved.