HOME > RESOURCES > ADVISORIES
FTGate Pro - Multiple Vulnerabilities
.:: DESCRIPTION ::.
"FTGate is a professional, award winning family of mail server applications that offer you exceptional performance, comprehensive features, ease of use and advanced security features in a cost effective package."
More information at http://www.floosietek.com
.:: SUMMARY ::.
Affected Version : FTGate Pro 1.2, build 1331 (latest build)
Tested Platform : Windows 2000, Windows XP Professional
FTGate Pro WebAdmin interface (not enable to the Internet by default) are found to be vulnerable to a numerous security holes, giving an attacker chances to learn various information about the FTGate server and exporting FTGate sever's mailboxes to a text file. By taking advantages of these mentioned vulnerabilities, the attacker can utimately compromise the whole server.
.:: DETAILS ::.
[Vulnerability #1] Information Disclosure
Upon executed, the script http://www.victim.com:8089/tools/ftgatedump.fts dumps the FTGate configuration into a file so that you can send it to FTGate support team for support should you encounter any problem with the software. Unfortunately, the script itself isn't restricted access so it can be easily executed arbitrarily by anyone with an Internet connection.
Various information about the FTGate server wil be dumped to a file named ftfgate_dump.txt, located in the x:\Program Files\FTGate\ directory. Of course, you cannot have direct access to the dump file and download it but you can still view it with the help of the ftgatedump.fts script. Simply appending 1 to the command parameter of the script will do the trick, for example http://www.victim.com:8089/tools/ftgatedump.fts?command=1.
[Vulnerability #2] FTGate Pro Username and Password exposures
The script exportmbx.fts does exactly what it says "exports the mailboxes for a domain to a text file" and it faces the same problem like the ftgatedump.fts script, lacking of access control mechanism. An Internet user can just export mailbox of any local domain into a file (CSV format), which is located in the FTGate program directory. It is important to check the "Export Password" option before exporting the mailbox.
The exportmbx.fts script does not have an option for you to view the file like the ftgatedump.fts does but you can get around that by having the exportmbx.fts script export to a file named "ftgate_dump.txt" and later use the ftgatedump.fts script to view the file. Alternatively, you can also export it to FTGate server's root directory and download it if you wish. There you have it folks!
.:: VENDOR STATUS ::.
Vendor has verified and released a patch that addresses the issues. You can download the patch/fixed version at http://www.floosietek.com/files/ftgate12.exe
.:: AUTHOR ::.
Phuong Nguyen
