Dotnetpanel Forums

I'm on W2003, IIS6, MS FTP, DNP 2.8.8

When using FileZilla FTP Client, if I know (or can guess) a username for a domain, I'm able to enter that directly into "Remote Path" field in my FileZilla client, and access that user's space and do whatever I want... Very risky - and probably not too hard for a hacker to make a qualified guess of what username goes with a domain name if it's a company customer, for example. Let's say I would have "ikea.se" at my servers, then "ikea" as a username wouldn't be too strange, right? Of course, as a hacker one would have to have at least one working ftp account first, but it's just to become a customer and then the hackers are able to get in to places they shouldn't be in :-/

Now - is this a bug or do I have any security rights wrongly configured? Anyone who can reproduce this problem or is it just me?

To reproduce, try log in with one existing ftp account at your system - then enter "/<user>/<domain>" as a remote path in the ftp client (I don't think the problem is in FileZilla, this should be same result whatever ftp client one use).

Hi,

I have a server with the exact same software (except I am running DNP 2.8.3) and could not duplicate your results. I actually tried other methods and the most I could get is an "access denied" if I enter the name of a valid ftp account as the path. A hacker can use this to confirm that that is the name of another valid ftp account. But I was never able to upload or list the contents from another ftp user.

I feel it is something with your particular FTP or NTFS configuration. I would begin by checking the NTFS permissions.

Regards,

ACW

ACW:

I feel it is something with your particular FTP or NTFS configuration. I would begin by checking the NTFS permissions.

Thanks for your effort. I don't think anyone at our place has done anything with the ntfs permissions but I'll definately look into it, one never knows... :) My first fear was that it was a bug since I ran DNP 2.8.0 for a long time but updated it to 2.8.8 yesterday and then by a mistake discovered this security problem of mine - therefore my first thought was if it was any change within DNP new versions that made this. Thanks to your efforts I realise that the it might be our ntfs rights or maybe some ftp setting... hmm.. However, I'm very grateful to you that you did try this at your place for me! :)

Problem Solved!

It was the ntfs permissions, somehow there was indeed an "Users" group at root level of my partition D: (Hostingspaces). I have no idea why it was there, though. Hopefully (?) it's a human error and something that accidentaly was forgotten to clean up - i'm crossing my fingers that it wasn't an effect of some software that made this setting, at least... So now late in the evening I was able to try deleting it and now I can't ftp to other customers accounts any more, and everything seems to still work (www, ftp, mysql that I have on that server).

And just as DNP Team member Kent states at the link below, there should be no "Users" - just "Administrators" and "SYSTEM":
http://forum.dotnetpanel.com/forums/p/3504/18342.aspx#18342

Now I wonder - does this apply for you as well? In my system I also have "Everyone" with all permissions excluded but the "Special Permissions" (deeper in the settings it's a read&execute on that folder (root) only) as well as an "CREATOR OWNER" also with all permissions exkluced but "Special Permissons" (deeper in these settings it's a "Full Control" on subfoldes and files only, under root.

Should these (Everyone & CREATOR OWNER) be possible to delete as well from the root security permissions, I wonder? According to Kent it should... hmmm?