plr0man
commented
6 years ago Thank you for filing! Can I ask you to propose a full (down to variants) classification? Something that we could use as a scaffold or an implementation ready solution
Closed securingdev closed 6 years ago
plr0man
commented
6 years ago Thank you for filing! Can I ask you to propose a full (down to variants) classification? Something that we could use as a scaffold or an implementation ready solution
securingdev
commented
6 years ago Absolutely! Please give me a bit of time to think this through and propose this in detail :blush:
plr0man
commented
6 years ago @andMYhacks how does this relate to P1 – Server Security Misconfiguration > Using Default Credentials > Production Server?
shpendk
commented
6 years ago scenario to consider: Ftp server allows anonymous login but is empty/has no data in it
plr0man
commented
6 years ago @andMYhacks we are not going to include FTP specific entries in #135. I know you were concerned with potential confusion insofar as anonymous FTP goes. That being said it seems like P1 – Server Security Misconfiguration > Using Default Credentials > Production Server remains the entry of choice for private FTP's allowing anonymous access.
Please feel free to reopen when you have more information.
FTP Anonymous login presents an issue where an attacker can perform nefarious acts on a server - largely depending on the privileges an anonymous user can leverage.
I would like to see Bugcrowd properly classify this issue. It would be my recommendation that this be classified as "Varies" under
Server Security Misconfigurationwith dependencies on anonymous user privilege.