CatSoft FTP Serv-U Brute-Force Vulnerability

FTP Serv-U is an internet FTP server from CatSoft.

FTP Serv-U contains an anti brute-force security feature which does not indicate whether an account is valid or not, after three unsuccessful login attempts a user is disconnected. Reconnection is not permitted until after a specified amount of time.

It is possible for a remote user to bypass the anti brute-force function within FTP Serv-U. Once successfully logged into the server either anonymously or with a valid account, a user can from that point brute force other usernames and passwords without ever being disconnected.

This could lead to a compromise of other user accounts on the ftp server.


Privacy Statement
Copyright 2010, SecurityFocus