Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: ftppro.htm

FTPPro v7.5 stores credit card info in multiple places, in plaintext!



Vulnerability

    FTPPro

Affected

    FTPPro v.7.5

Description

    "The  Wall"   found  following.    FTPPro   stores  credit    card
    information in multiple locations, unprotected, and in plain text.
    The program  consists of  2 files,  FTPPro20.exe and FTPPro20.hlp.
    These files do  not require their  directory to be  in the working
    %PATH%  statement.   When  the  program  initializes for the first
    time, it creates a key in the registry:

        \HKEY_LOCAL_MACHINE\SOFTWARE\FTPPro98c

    This key is set with the following permissions:

        Administrator   (Full Control)
        Creator Owner   (Full Control)
        Everyone        (Special Access - Query Value
                           Set Value
                           Create Subkey
                           Enumerate Subkeys
                           Notify
                           Delete
                           Read Control)
        System          (Full Control)

    The primary purpose of this key  is not to store any real  program
    related  information,  but  to  store  license  and   registration
    information.  Among the keys and their data are:

        Credit Card #
        Credit Card Expiration Date
        Credit Card type (VISA, MC, etc.)
        Name, Address, City, State, Zip, Phone

    The program  will not  submit the  registration information  until
    all of the above information (and more) is provided.  All of  this
    information  is  stored  in  the  registry  unprotected.  The only
    relevant program information stored under this key is the  program
    version and the "LastRunDate".

    In addition to entering all  of the above data into  the registry,
    the program  provides a  "Register Offline"  option.   This option
    will  create  a  text  file  called  "Register.txt" in the program
    working  directory  containing  all  of  the  above information in
    clear text.

Solution

    In  order  to  allay  any  fears,  following  will provide a brief
    description of the methods which  shall be used in FTPPro  Version
    7.6.  FTPPro previously contained a feature which allowed them  to
    send email to  the users of  illegally modified copies  of FTPPro.
    They have  chosen to  remove that  feature from  FTPPro.   The new
    version will only  transmit information which  the user has  typed
    onto the OnLine Registration form.

    Therefore, FTPPro will  no longer have  the ability to  send Email
    to any user.  What these modified warez versions do is now  beyond
    their control.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH