Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: bt1056.txt

FTGate Pro Server - Multiple Vulnerabilities

Release Date: 09/01/2003

FTGate Pro - Multiple Vulnerabilities

“FTGate is a professional, award winning family of
mail server applications that offer you exceptional
performance, comprehensive features, ease of use and
advanced security features in a cost effective

More information at

Version  : FTGate Pro 1.2, build 1331 (latest build)
Tested Platform : Windows 2000, Windows XP

Multiple vulnerabilities have been found in FTGate Pro
WebAdmin interface (not enable to the Internet by
default) which allows the attackers to learn various
information about the FTGate server and exporting
FTGate sever's mailboxes to a text file (that
including administrator’s password, usernames’
passwords) which would lead the server to a total

[Vulnerability #1] Information Disclosure

The script will
dumb the FTGate  configuration into a file for you to
send to FTGate support team when you encountered a
problem with the software. Ftgatedump.fts script
doesn't provide proper privilege checking so you don't
need to have administrator's privilege to access to
that script.

Ftgatedump.fts script will dump various information
about your current FTGate Pro configuration to
x:\Program Files\FTGate\ftgate_dump.txt and allow you
to view the file by sending
request to the server.

[Vulnerability #2] FTGate Pro Username and Password

Exportmbx.fts just does exactly what it say "exports
the mailboxes for a domain to a text file" and it
encounters the same problem like the ftgatedump.fts
script, no admin's credential is necessary to access
and execute the script therefore anyone could just
export mailboxes of any local domain into a file (CSV
format) and the file is located in the FTGate program
directory. Make sure you check the "Export Password"
option before exporting the mailbox.

Exportmbx.fts script does not have an option for you
to view the file like the ftgatedump.fts does but you
can get around that by either making exportmbx.fts
script export to a file named "ftgate_dump.txt" and
use the ftgatedump.fts script to view the file or you
can export it to FTGate server's root directory and
download it, there you have it folks.

Vendor has verified and released a patch that fixes
the issues. Available at

Author: Phuong Nguyen

Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH