Rule:  
--

Sid:
1166

--

Summary:
Someone attempted to download ws_ftp.ini through the web

--
Impact:
Saved passwords for FTP accounts may be gleaned from the ws_ftp.ini file

--
Detailed Information:
When a user of WS_FTP chooses "save password" when connecting to an FTP
server, the password is saved in ws_ftp.ini.  The passwords are stored
weakly encrypted.

--
Affected Systems:
 
--
Attack Scenarios:
A web administrator opens up far too much of his hard drive to web sharing,
and an attacker finds and downloads the ws_ftp.ini file, and cracks the
encrypted passwords to get access to FTP accounts

--
Ease of Attack:
Requires that the attacker find a web-shared ws_ftp.ini file first, and
then run the file through a specialized password cracker (such tools
exist in the wild)

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Find out if the ws_ftp.ini file existed on the web server.
Find out what accounts were stored in the ws_ftp.ini file that was
downloaded, and change the passwords for those accounts immediately.
Consider investigating the referenced systems and accounts
for signs of compromise or access of sensitive data.
Having a web-accessable ws_ftp.ini file is probably a sign of larger
misconfigurations of the web server, so consider launching an audit
and investigation of the web server.

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:
CVE:  CAN-1999-1078
Bugtraq:  BID 547
