Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Titan FTP Server 10.32 Build 1816 - Directory Traversal Vulnerability

🗓️ 11 Feb 2014 00:00:00Reported by Fara RusteinType 
zdt
 zdt🔗 0day.today👁 40 Views

Titan FTP Server 10.32 Build 1816 - Directory Traversal Vulnerability. Vulnerabilities allow copying home folders, obtaining user lists, and observing user properties

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus		Titan FTP Server < 10.40 Build 1829 Directory Traversal Vulnerability
14 Feb 201400:00
nessus
Tenable Nessus		Titan FTP Server quote stat Command Traversal Arbitrary Directory Listing
3 Sep 200400:00
nessus
Circl		CVE-2014-1841
7 Oct 202521:02
circl
Circl		CVE-2014-1842
7 Oct 202521:02
circl
Circl		CVE-2014-1843
7 Oct 202521:02
circl
CVE		CVE-2014-1841
29 Apr 201410:00
cve
CVE		CVE-2014-1842
29 Apr 201410:00
cve
CVE		CVE-2014-1843
29 Apr 201410:00
cve
Cvelist		CVE-2014-1841
29 Apr 201410:00
cvelist
Cvelist		CVE-2014-1842
29 Apr 201410:00
cvelist
Rows per page
"Titan FTP Server Directory Traversal Vulnerabilities"
  
******************************************************************************
  
- Affected Vendor: South River Technologies
- Affected System: Titan FTP Server software (Version 10.32 Build 1816)
- Vendor Disclosure Date: January 27th, 2014
- Public Disclosure Date: February 10h, 2014
- Vulnerabilities' Status: Fixed
  
******************************************************************************
  
Associated CVEs:
  
1) CVE-2014-1841:
   It is possible to copy the complete home folder of another user by leveraging a vulnerability on the Titan FTP Server Web Interface.
  
2) CVE-2014-1842:
   It is possible to obtain the complete list of existing users by writing "/../" on the search bar.
  
3) CVE-2014-1843:
   It is possible to observe the "Properties" for an existing user home folder.
   This also allows for enumeration of existing users on the system.
  
Associated CWE:
  
  CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  http://cwe.mitre.org/data/definitions/22.html
  
******************************************************************************
  
DESCRIPTIONS
============
  
1) CVE-2014-1841:
  
   It is possible to copy the complete home folder of another user by leveraging a vulnerability on the Titan FTP Server Web Interface.
    
   This is done by using the "Move" function, and replacing the "src" parameter value with the "/../<folder name of another user>" value.  
  
2) CVE-2014-1842:
  
   It is possible to obtain the complete list of existing users by writing "/../" on the search bar and hitting the "Go" button.
  
3) CVE-2014-1843:
  
   It is possible to observe the "Properties" for an existing user home folder.
    
   This also allows for enumeration of existing users on the system.
    
   This is done by using the "Properties" function, and replacing the "src" parameter value with the "/../<folder name of another user>" value.  
  
******************************************************************************
  
- Available fix:
  Titan FTP Server software (Version 10.40 Build 1829):
   + titanftp32_10_40_1829_en.exe
   + titanftp64_10_40_1829_en.exe
  
- Related Links: Deloitte Argentina - www.deloitte.com/ar
  
- Feedback:
  If you have any questions, comments, concerns, updates or suggestions please contact:
   + Fara Rustein
     [email protected] (Twitter: @fararustein)
   + Luciano Martins
     [email protected] (Twitter: @clucianomartins)
  
******************************************************************************
  
Credits:
  
CVE-2014-1841:
  1. It is possible to copy the complete home folder of another user by leveraging a vulnerability on the Titan FTP Server Web Interface.
  Discovered by Fara Rustein - [email protected]
  
CVE-2014-1842:
  2. It is possible to obtain the complete list of existing users by writing "/../" on the search bar.
  Discovered by Luciano Martins - [email protected]
  
CVE-2014-1843:
  3. It is also possible to observe the "Properties" for an existing user home folder.
  This also allows for enumeration of existing users on the system.
  Discovered by Fara Rustein - [email protected]

#  0day.today [2018-01-26]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Feb 2014 00:00Current
6.7Medium risk
Vulners AI Score6.7
EPSS0.0379
titan ftp serverdirectory traversalsouth river technologiesversion 10.32build 1816vulnerabilityvendor disclosure datepublic disclosure datefixedcve-2014-1841cve-2014-1842cve-2014-1843cwe-22path traversalvulnerability fixdeloitte argentinafeedbackfara rusteinluciano martinsdiscovered by.
40