Lucene search
RootSSV:61540HistoryFeb 24, 2014 - 12:00 a.m.
Core FTP 'USER' 命令信息泄露漏洞
2014-02-2400:00:00
Root
www.seebug.org
10
0.003 Low
EPSS
Percentile
68.0%
BUGTRAQ ID: 65428
CVE(CAN) ID: CVE-2014-1443
CoreFTP是免费的FTP客户端。
Core FTP 1.2 build 511及其他版本处理XCRC命令时存在错误,这可使攻击者利用目录遍历序列,获取FTP根目录以外的文件名。
0
Core FTP Core FTP 1.x
厂商补丁:
Core FTP
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Proof of Concept:
1) Log into the Core FTP Server with a valid user.
2) Close the terminal.
3) Use the "USER" command with the following string:
"%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
4) Observe that the previously used password is disclosed
Related
cve
cve
CVE-2014-1443
2014-05-02 01:59:22
cvelist
cvelist
CVE-2014-1443
2014-05-02 01:00:00
nvd
nvd
CVE-2014-1443
2014-05-02 01:59:22
prion
prion
Design/Logic Flaw
2014-05-02 01:59:00
packetstorm
packetstorm
Core FTP Server 1.2 DoS / Traversal / Disclosure
2014-02-05 00:00:00
nessus
nessus
Core FTP Server < 1.2 Build 515 Multiple Vulnerabilities
2014-02-24 00:00:00