EFTP Nonexistent File Request Installation Directory Disclosure

medium Nessus Plugin ID 11093

Synopsis

The remote FTP server is affected by an information disclosure vulnerability.

Description

The version of EFTP installed on the remote host reveals its installation directory if sent a request for a nonexistent file. An authenticated attacker may leverage this flaw to gain more knowledge about the affected host, such as its filesystem layout.

Solution

Upgrade to version 3.2 or higher, as it has been reported to fix this vulnerability.

See Also

https://seclists.org/bugtraq/2001/Sep/135

Plugin Details

Severity: Medium

ID: 11093

File Name: eftp_root_disclosure.nasl

Version: 1.31

Type: remote

Family: FTP

Published: 8/18/2002

Updated: 11/15/2018

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Score from a more in depth analysis done by tenable

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: manual

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Vulnerability Information

Required KB Items: ftp/login

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

BID: 3333