NVT 14597 WS_FTP false positive

Plugin pre2008/ws_ftp_client_weak_stored_pass.nasl, OID, is flagging Progress WS_FTP Professional 12.8.7 as vulnerable because its version is less than 2007.0.0.2. Yet it says the fixed version is 12.6, which is less than 12.8.7, which is the latest version available in the 12.x sequence.

The plugin contains this code:

if(version_is_less_equal(version:ftpVer, test_version:“2007.0.0.2”)){
report = report_fixed_ver(installed_version:ftpVer, fixed_version:“12.6”, install_path:loc);
security_message(port:0, data:report);

The plugin reports this:

The remote host has a version of the WS_FTP client which use a weak encryption method to store site password.

Upgrade to the newest version of the WS_FTP client.

Installed version: 12.8.7
Fixed version: 12.6
Installation path / port: C:\Program Files (x86)\Ipswitch\WS_FTP 12

WS_FTP Professional has what appear to be two separate version number sequences: 12.x, and 200x. The plugin should distinguish between the two sequences.

See the versions available here: https://docs.ipswitch.com/en/ws_ftp-professional.html



Hi Karl, thanks for letting us know :slight_smile: I’ll pass this on to the developers.