CrushFTP Server does not adequately filter user input thereby permitting directory traversal

Overview

CrushFTP allows access to files outside the FTP root directory through directory traversal.

Description

CrushFTP is a Java-based FTP server available for Linux, Mac OS, and Windows. CrushFTP can be configured to limit access to files under a designated FTP root directory. However, CrushFTP allows an attacker to get files outside this directory through ‘…/’ directory traversal.

---

Impact

CrushFTP allows an attacker to see any file in the filesystem, including potentially sensitive and critical system files.

---

Solution

Upgrade to version 2.1.7 or later of CrushFTP at:

<http://www.crushftp.com>

---

Use chroot if available on your system, to limit the scope of CrushFTP’s access to the filesystem.

---

Vendor Information

110803

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Ben Spink Affected

Notified: August 29, 2001 Updated: November 17, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23110803 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0583&gt;
• <http://xforce.iss.net/static/6495.php&gt;
• <http://xforce.iss.net/alerts/vol-6_num-7.php&gt;

Acknowledgements

Thanks to Joe Testa for discovering this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs:	CVE-2001-0582
Severity Metric:	0.11 Date Public: