author: takt site: www.excluded.org product: SysCP <= 1.2.10 (1.2.9 and 1.2.10 are tested!) with proFTPd 1.2.10 (Sarge) problem: logins with *wrong* passwords... date: June 26, 2005 * Product SysCP, the System Control Panel is a server administration tool which enables an internet service provider to give their customers a web-based application to administrate their email addresses, their subdomains etc. * Problem The problem is, that a user can get access over files, he souldn't have to. If there are two extra ftp users for a domain, each passwort will work for each account. So testuserftp1 can get access over files of testuserftp2 with his own password. * Affected Systems I haven't tested much, but SysCP 1.2.9 and 1.2.10 are affected definetly. The FTPd is an proFTPd 1.2.10 (of sarge). I don't exactly know where the problem is, but I guess that it is a problem of an configuration file SysCP creates for proFTPd. * Solution Coming soon... ::Fight for Freedom && Fuck the System!:: -takt of excluded.org