OSDN Admin

Dear sir ,

I have found bug on your web server which is very risky and high risk. That is FTP Anonymous Login. I will explain it as follows:

Vulnerability: FTP Anonymous Default LOGIN Vulnerable area: FTP server

POC : Proof of concept as follows:

Steps To Reproduced:

1) Open Nmap and scan for following link as follow: https://sourceforge.jp

2) Now you can see that FTP port is open . now Check for login with ftp command as follows

ftp 202.221.179.21 Enter

See as follows:

3) Now it is asking for user name and password . In your web server config anonymous user ID , Password anonymous see as follows:

4) Vulnerability description The remote FTP server allows anonymous logins. Anonymous FTP allows users without accounts to have restricted access to certain directories on the system. The configuration of systems allowing anonymous FTP should be checked carefully, as improperly configured FTP servers are frequently attacked.

5) How to fix this vulnerability If you are not using this service, it is recommended to disable it or at least deny anonymous logins.

IMPACT

1) Attacker can get direct access to your root login and can exploit your server while uploading shells .

I have give enough details i hope you will patch this as soon as and if you need any information you can contact me over here.

You can also contact me here for my bug reward i will be waiting for it in good faith.