EFTP 2.0.8.346 directory content disclosure

2001-12-14T00:00:00
ID SECURITYVULNS:DOC:2267
Type securityvulns
Reporter Securityvulns
Modified 2001-12-14T00:00:00

Description

There exists a vulnerability in EFTP 2.0.8.346 Vendor notified: 12/12/2001 Vendor reply/fix: 12/12/2001 Vendor Homepage: http://www.eftp.org/ Platforms tested: windows nt 4 /sp6 windows 2000 /sp2 windows XP

----------=[ Program info ]=---------- >From vendor homepage: "Encrypted File Transfer Protocol™ release 2 is the fast, easy way to send and receive files to and from your PC. With data transfer rates literally unaffected by real time encryption mode, the perfect solution for total security. Compatible with most other Server or Client based applications in standard 'non encrypted' mode."

----------=[ Vulnerability information ]=---------- It is possible to see the contents of every drive and directory of vulnerable server. A valid user account is required to exploit this vulnerability. It works both with encryption and w/o encryption. Here's how it's done: the user is logged in to his home directory (let's say d:\userdir) when the user issues a CWD to another directory server returns permission denied. But, first changing directory to "..." (it will chdir to d:\userdir\...) then issuing a CWD to "\" will say permission denied but it will successfully change to root directory of the current drive. And everytime we want to see a dir's content, we first CWD to our home directory and then CWD ... and then CWD directly to desired directory (CWD c:/ or c:/winnt etc)

So it is possible to see directory contents but i did not test to see if there is a possible way to get/put files.

----------=[ Solution ]=---------- Vendor released a fixed version (2.0.8.348) which can be obtained from vendor's homepage: http://www.eftp.org/

Best Regards & Happy Xmas

Ertan Kurt

Ertan Kurt Olympos Security www.olympos.org