`I found a bug in the SmartFTP-D Server which will give an attacker full
access to the server, if he has the right to write files on the server. For
every user, the program is checking if a special Userfile exists (Sample:
Username=hacker & Userfile=hacker.FTP_User). If it exists, the configuration,
like password, rights, etc. will be read out of this file. The program doesn't
check for bad characters, so by using "..\" you can switch to other
directorys. If an attacker has an account on the machine, where he can write files,
he can use this to get full access to the whole machine! Let's take this
example: Upload directory is D:\Upload and SmartFTP-D is installed in
D:\Program Files\SmartFTP Daemon. An attacker would upload a file called
exploit.FTP_User, which includes his own password and the rigths, he wishes to have. If
he now uses the Username "..\..\..\..\..\Upload\exploit", his uploaded
Userfile will be used and he can login.
mindstorm networks has been informed about this bug and a fix should be
available soon. Until they will release a fix, you can get my unofficial
HotFix at my homepage, which will implement the missing check-function for bad
characters in the Username.
-Moritz
--
Moritz Jodeit
http://jodeit.cjb.net
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation