CERTVU:210409Multiple FTP clients contain directory traversal vulnerabilities
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
47.3%
Overview
Multiple File Transfer Protocol (FTP) clients contain directory traversal vulnerabilities that allow a malicious FTP server to overwrite files on the client host.
Description
In a typical file transfer operation, one participant (the client) requests a file while a second participant (the server) provides the requested file. Before processing each request, many server implementations will consult an access control policy to determine whether the client should be permitted to read, write, or create a file at the requested location. If the client is able to craft a request that violates the server’s access control policy, then the server contains a vulnerability. Since most vulnerabilities of this type involve escaping a restricted set of directories, they are commonly known as “directory traversal” vulnerabilities.
Directory traversal vulnerabilities are most often reported in server implementations, but recent research into the behavior of FTP clients has revealed several vulnerabilities in various FTP client implementations. To exploit these vulnerabilities, an attacker must convince the FTP client user to access a specific FTP server containing files with crafted filenames. When an affected FTP client attempts to download one of these files, the crafted filename causes the client to write the downloaded files to the location specified by the filename, not by the victim user. In some cases, the attacker must use a modified FTP server to allow the crafted filenames to be passed to the client.
For more detailed information regarding this research, please read “Directory Traversal Vulnerabilities in FTP Clients”, written by Steve Christey.
Impact
This vulnerability allows an attacker to mislead users of affected FTP clients, convincing the victim to unintentionally create or overwrite files on the client’s filesystem.
Solution
Apply a patch from your vendor
For vendor-specific information regarding vulnerability status and patch availability, please consult the Systems Affected section of this document
Vendor Information
210409
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
NcFTP Software __ Affected
Notified: December 05, 2002 Updated: December 19, 2002
Status
Affected
Vendor Statement
NcFTP 3.0.0 through 3.1.4 are vulnerable to this problem. We no longer support earlier releases (the 1995 era 2.x.x versions and 1991 era 1.x.x versions) which may also be susceptible. NcFTP 3.1.5 has been posted to address this problem and is available for download from http://www.ncftp.com/download/ .
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Sun Microsystems Inc. __ Affected
Notified: December 05, 2002 Updated: December 09, 2002
Status
Affected
Vendor Statement
We have investigated this directory traversal issue and do not think it is a bug.
The user has several means of protection against this issue.
1. By default prompting is turned on, so the user gets a chance to decide if they want a file returned by mget before it is downloaded. So files will not be overwritten without prompting the user.
2. When running as an ordinary user, Unix access controls will stop system files being over written. If a user must run as root, care needs to be taken which would include not turning off interactive mode.
3. The user may run the “runique” command to force the Solaris ftp client to avoid overwriting files that already exist.
The Solaris ftp mget behaviour is consistent with other BSD derived ftp clients, for example on Linux and FreeBSD. Changing the existing behaviour will cause problems.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
IBM __ Not Affected
Notified: December 05, 2002 Updated: December 19, 2002
Status
Not Affected
Vendor Statement
IBM’s AIX ftp client is not vulnerable to the directory traversal attacks described in CERT Vulnerability Note VU#210409. These attacks require a connection to a malicious ftp server. The AIX ftp client specifies the files that are written to during a ftp session; it does not get this information from the server it is connected to. An attempt by a malicious server to specify a file to be written to will fail.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Openwall GNU/*/Linux __ Not Affected
Notified: December 05, 2002 Updated: December 09, 2002
Status
Not Affected
Vendor Statement
Openwall GNU/*/Linux is not vulnerable. The “lftp” FTP client that we use will not request files whose names contain a slash (‘/’) with “mget” and “mirror” commands and will not attempt to create files with such names locally when they’re requested by the user explicitly.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Apple Computer Inc. Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
BSDI Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Cray Inc. Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Data General Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
F5 Networks Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
FreeBSD Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Fujitsu Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Guardian Digital Inc. Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Hewlett-Packard Company Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Juniper Networks Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Microsoft Corporation Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
MontaVista Software Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
NEC Corporation Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
NetBSD Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Nokia Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
OpenBSD Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
SGI __ Unknown
Notified: December 05, 2002 Updated: December 19, 2002
Status
Unknown
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________ SGI Security Advisory
`Title : Directory Traversal Vulnerability in FTP Client
Number : 20021205-01-A
Date : December 13, 2002
Reference: CVE CAN-2002-1345
Reference: CERT VU#210409
Reference: SGI BUG 869079
- -----------------------
- — Issue Specifics —
SGI acknowledges the ftp client vulnerability reported by Steve Christey on
BugTraq <http://online.securityfocus.com/archive/1/302956> and is currently
investigating.
See also: CERT <http://www.kb.cert.org/vuls/id/210409>.
This vulnerability was assigned the following CVE candidate:
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1345>
No further information is available at this time.
For the protection of all our customers, SGI does not disclose, discuss
or confirm vulnerabilities until a full investigation has occurred and
any necessary patch(es) or release streams are available for all vulnerable
and supported Linux and IRIX operating systems.
Until SGI has more definitive information to provide, customers are
encouraged to assume all security vulnerabilities as exploitable and take
appropriate steps according to local site security policies and requirements.
As further information becomes available, additional advisories will be
issued via the normal SGI security information distribution methods
including the wiretap mailing list.
- ------------------------
- — Acknowledgments ----
SGI wishes to thank Steve Christey, CERT, Security Focus and the users of
the Internet Community at large for their assistance in this matter.
`
`- -------------
- — Links —
SGI Security Advisories can be found at:
<http://www.sgi.com/support/security/> and
<ftp://patches.sgi.com/support/free/security/advisories/>
SGI Security Patches can be found at:
<http://www.sgi.com/support/security/> and
<ftp://patches.sgi.com/support/free/security/patches/>
SGI patches for IRIX can be found at the following patch servers:
<http://support.sgi.com/irix/> and <ftp://patches.sgi.com/>
SGI freeware updates for IRIX can be found at:
<http://freeware.sgi.com/>
SGI fixes for SGI open sourced code can be found on:
<http://oss.sgi.com/projects/>
SGI patches and RPMs for Linux can be found at:
<http://support.sgi.com/linux/> or
<http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/>
SGI patches for Windows NT or 2000 can be found at:
<http://support.sgi.com/nt/>
IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
<http://support.sgi.com/irix/> and <ftp://patches.sgi.com/support/patchset/>
IRIX 6.5 Maintenance Release Streams can be found at:
<http://support.sgi.com/colls/patches/tools/relstream/index.html>
IRIX 6.5 Software Update CDs can be obtained from:
<http://support.sgi.com/irix/swupdates/>
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL <ftp://patches.sgi.com/support/free/security/>
For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update.
`
`- -----------------------------------------
- — SGI Security Information/Contacts —
If there are questions about this document, email can be sent to
[email protected].
------oOo------
SGI provides security information and patches for use by the entire SGI
community. This information is freely available to any person needing the
information and is available via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL <ftp://patches.sgi.com/support/free/security/>
The SGI Security Headquarters Web page is accessible at the URL:
<http://www.sgi.com/support/security/>
For issues with the patches on the FTP sites, email can be sent to
[email protected].
For assistance obtaining or working with security patches, please
contact your SGI support provider.
------oOo------
SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(<http://www.sgi.com/support/security/wiretap.html>) or by sending email to
SGI as outlined below.
% mail [email protected]
subscribe wiretap <YourEmailAddress such as [email protected] >
end
^d
In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to. The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.
`
------oOo------
SGI provides a comprehensive customer World Wide Web site. This site is located at <http://www.sgi.com/support/security/> .
------oOo------
If there are general security questions on SGI systems, email can be sent to [email protected].
For reporting *NEW* SGI security issues, email can be sent to [email protected] or contact your SGI support provider. A support contract is not required for submitting a security report.
______________________________________________________________________________ This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, SGI is appropriately credited and the document retains and includes its valid PGP signature.
-----BEGIN PGP SIGNATURE----- Version: 2.6.2
iQCVAwUBPfov27Q4cFApAP75AQGNHwP9HCg+/MMHHQu66EyiEyjZS7BfjcItGHV6 AiN/Dhn6tmim2LfKxrCVHWQZmdydD2iZFBZbx7vfuaqFmqT0GOo4qxfYBVYPle1m s+pB5dZWFaRSJpRqU8aU5DCugsEtTe7dkBq1ccBymeOU3Tw3uG6WG/yddmvRZTU5 p+c09WNRrss= =woXO -----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Sequent Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Sony Corporation Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
SuSE Inc. Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
The SCO Group (SCO Linux) Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
The SCO Group (SCO UnixWare) Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Unisys Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
WU-FTPD Development Group Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Wind River Systems Inc. Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
Wirex Unknown
Notified: December 05, 2002 Updated: December 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
publicfile Unknown
Notified: December 05, 2002 Updated: December 19, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23210409 Feedback>).
View all 31 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
<http://online.securityfocus.com/archive/1/302956>
Acknowledgements
The CERT/CC thanks Steve Christey for his discovery and analysis of these vulnerabilities.
This document was written by Jeffrey P. Lanza.
Other Information
| CVE IDs: | CVE-2002-1345 |
|---|---|
| Severity Metric: | 2.81 Date Public: |
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
47.3%