SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Pablo's FTP Server Vendors:   Pablo Software Solutions
Pablo FTP Server Discloses Files and Directories on the System to Remote Authenticated Users, Including Anonymous Users
SecurityTracker Alert ID:  1004812
SecurityTracker URL:  http://securitytracker.com/id/1004812
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 22 2002
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Securiteinfo.com reported an information disclosure vulnerability in the Pablo FTP Server. A remote authenticated user can view files and directories located outside of the FTP root directory.

It is reported that an authenticated remote user (including an anonymous user, if anonymous logins are permitted) can supply a request containing the '\..\' directory traversal characters to view files located outside of the FTP server directory.

Impact:   A remote authenticated user (including an anonymous user) can view files and directories located outside of the normal FTP document directory.
Solution:   The vendor has released a fixed version (Build 10), available at:

http://www.pablovandermeer.nl/ftp_server.html

Vendor URL:  www.pablovandermeer.nl/ftp_server.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (NT), Windows (98), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Pablo Sofware Solutions FTP server Directory Traversal Vulnerability



Pablo Sofware Solutions FTP server Directory Traversal Vulnerability


.oO  Overview Oo.
Pablo Software Solutions FTP server version 1.0 build 9 shows files and 
directories that reside outside the normal FTP root directory. 
Discovered on 2002, July, 20th
Vendor: Pablo Software Solutions

Pablo's FTP Server is a multi threaded FTP server for Windows 98/NT/XP. 
It comes with an easy to use interface and can be accessed from the
system 
tray.  
The server handles all basic FTP commands and offers easy user account 
management and support for virtual directories.
This FTP server can shows file and directory content that reside outside
the 
normal FTP root directory.


.oO  Details Oo.
The vulnerability can be done using the MS-DOS ftp client. When you are 
logged on the server, you can send a dir \..\, or a dir \..\WINNT,
supposed 
your root directory is c:\ftp_server 


.oO  Solution Oo.
The vendor has been informed and has solved the problem.
Download Pablo's FTP Server Build 10 at : 
http://www.pablovandermeer.nl/ftp_server.html


.oO  Discovered by Oo.
Arnaud Jacques
webmaster@securiteinfo.com
http://www.securiteinfo.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC