Shuttle FTP Suite Arbitrary File Write/Access

2004-08-11T07:11:18
ID OSVDB:8521
Type osvdb
Reporter Ziv Kamir(gss_it@yahoo.com)
Modified 2004-08-11T07:11:18

Description

Vulnerability Description

Shuttle FTP contains a flaw that allows a remote attacker to have full access to files and directories outside of the FTP root. The issue is due to the Shuttle FTP not properly sanitizing user input. By sending a specially-crafted command containing a "dot-dot" (../../) sequence or absolute path an attacker could read, write and overwrite files outside of the FTP root directory.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Shuttle FTP contains a flaw that allows a remote attacker to have full access to files and directories outside of the FTP root. The issue is due to the Shuttle FTP not properly sanitizing user input. By sending a specially-crafted command containing a "dot-dot" (../../) sequence or absolute path an attacker could read, write and overwrite files outside of the FTP root directory.

References:

Vendor URL: http://www.waveflow.com/shuttleftp/ Secunia Advisory ID:12270 ISS X-Force ID: 16950 Bugtraq ID: 10916