任务单 #35240

REMOTE PORT ACCESS AND CODE EXECUTION

开放日期: 2015-06-16 05:01 最后更新: 2015-06-16 13:29

报告人:
(匿名)
属主:
类型:
状态:
关闭
组件:
(无)
里程碑:
(无)
优先:
9 - Highest
严重性:
9 - Highest
处理结果:
Duplicate
文件:

Details

Dear sir ,

I have found bug on your web server which is very risky and high risk. That is FTP Anonymous Login. I will explain it as follows:

Vulnerability: FTP Anonymous Default LOGIN Vulnerable area: FTP server

POC : Proof of concept as follows:

Steps To Reproduced:

1) Open Nmap and scan for following link as follow: https://sourceforge.jp

2) Now you can see that FTP port is open . now Check for login with ftp command as follows

ftp 202.221.179.21 Enter

See as follows:

3) Now it is asking for user name and password . In your web server config anonymous user ID , Password anonymous see as follows:

4) Vulnerability description The remote FTP server allows anonymous logins. Anonymous FTP allows users without accounts to have restricted access to certain directories on the system. The configuration of systems allowing anonymous FTP should be checked carefully, as improperly configured FTP servers are frequently attacked.

5) How to fix this vulnerability If you are not using this service, it is recommended to disable it or at least deny anonymous logins.

IMPACT

1) Attacker can get direct access to your root login and can exploit your server while uploading shells .

I have give enough details i hope you will patch this as soon as and if you need any information you can contact me over here.

You can also contact me here for my bug reward i will be waiting for it in good faith.

任务单历史 (2/2 Histories)

2015-06-16 05:01 Updated by: None
  • New Ticket "REMOTE PORT ACCESS AND CODE EXECUTION" created
2015-06-16 13:29 Updated by: sugi
  • Ticket Close date is changed to 2015-06-16 13:29
  • 状态 Update from 开启 to 关闭
  • 处理结果 Update from to Duplicate
评论

duplicate with #35241

Attachment File List

No attachments

编辑

You are not logged in. I you are not logged in, your comment will be treated as an anonymous post. » 登录名