Fastream FTP++ Server Malformed ls Command Arbitrary Directory Listing

2001-01-19T00:00:00
ID OSVDB:12103
Type osvdb
Reporter OSVDB
Modified 2001-01-19T00:00:00

Description

Vulnerability Description

Fastream FTP++ Server contains a flaw that may lead to unauthorized file access. The issue is triggered when a remote attacker uses "ls" command and includes the drive letter in the requested path name, which will allow a remote attacker to list directories outside of the Faststream FTP++ Server directory, resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.0 Beta 10 Build 3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Fastream FTP++ Server contains a flaw that may lead to unauthorized file access. The issue is triggered when a remote attacker uses "ls" command and includes the drive letter in the requested path name, which will allow a remote attacker to list directories outside of the Faststream FTP++ Server directory, resulting in a loss of confidentiality.

References:

Vendor URL: http://www.fastream.com/ftppp.htm Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-01/0336.html ISS X-Force ID: 5977 CVE-2001-0255 Bugtraq ID: 2267