fox news site exposes a working user name and password for ftp.g.ziffdavis.com
Edit: The original source article at linuxinit has been deleted (cue Twilight Theme music)...
Original source: http://linuxinit.net/site/?id=664 Found via http://blogs.securiteam.com/index.php/archives/966
Fox News have got their asses hanging out in the fresh air, waiting to be kicked - there's no other appropriate description for this.
"While browsing around the Fox News website, I found that directory indexes are turned on. So, I started following the tree up, until I got to /admin. Eventually, I found my way into /admin/xml_parser/zdnet/, in which, there is a shell script. Seeing as it’s a shell script, and I use Linux, I took a peek. Inside, is a username and password to an FTP. So, of course, I tried to login. The result? Epic fail on Fox’s part. And seriously, what kind of password is T1me Out. This is just pathetic."
Surely not, says I ... Fox News is not exactly a backwater newspaper... but nay, somebody has screwed up. I browsed to http://www.foxnews.com/admin/ and what did I see? The index of /admin is exposed to the world.
You can see from the screenshot that all of the directories have been untouched since 2006 and earlier, just like the files discovered on the FTP server by linuxinit are all dated between 2002 and 2006.
BUT, that being said, linuxinit reports that the FTP username and password revealed by the shell script still works and THAT, gentle reader, is a dangerous situation for Ziff Davis.
So, what went wrong? How did such a basic breakdown in security protocols happen? Did a long departed admin, perhaps, get lazy one day in the dim past and create a shell script to make his life a little easier, forgetting to delete it before leaving.
Perhaps the existence and location of the shell script were undocumented and unknown to anybody else but the person who created it.
Or perhaps somebody forgot to reset the password for the FTP user account... or forgot to disable the account ...
Who the hell knows? All I do know is that it is absolutely crazy to have a shell script that contains a username and password so easily accessible to anybody with enough curiosity, bravado and brains to find it.
Ziff Davis should be extremely grateful that those behind linuxinit are honest enough to alert them to the problem. Somebody less honest could have turned ftp.g.ziffdavis.com into an FTP for hire.
Edit: I note that Index of /admin is no longer accessible. All we see now is...