SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Fastream NETFile Server Vendors:   Fastream Technologies
Fastream NETFile Server Lets Remote Users Create or Delete Files and Directories in Arbitrary Locations
SecurityTracker Alert ID:  1013803
SecurityTracker URL:  http://securitytracker.com/id/1013803
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 26 2005
Impact:   Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 7.5.0 Beta 7; Tested on 7.4.6 on English Win2K SP4
Description:   Tan Chew Keong of SIG^2 Vulnerability Research reported a vulnerability in Fastream NETFile server. A remote authenticated user can upload or delete files or directories located outside of the FTP directory.

A remote authenticated user with directory creation/removal privileges can invoke a specially crafted URL to create or delete files and directories located outside of the FTP root directory. Some demonstration exploit URLs are provided:

http://[target]/?command=delete&filename=.../..//a/.../yyy.txt
http://[target]/?command=mkdir&filename=.../..//a/.../testdir
http://[target]/?command=rmdir&filename=.../..//a/.../testdir

[Editor's note: This vulnerability was originally reported by Andres Tarasco Acuna (at4r) in July 2004 and reported to have been fixed by the vendor in version 6.7.3, as posted in Alert ID 1010642. However, the fix was not complete. A slightly different type of request can still exploit the flaw.]

The vendor was notified on April 21, 2005.

The original advisory is available at:

http://www.security.org.sg/vuln/netfileftp746.html

Impact:   A remote authenticated user with file upload privileges can upload files to locations or delete files located outside of the FTP root directory.

A remote authenticated user with directory creation/modification privileges can create or delete directories located outside of the FTP root directory.

Solution:   The vendor has released a fixed version (7.5.0 Beta 7).
Vendor URL:  www.fastream.com/products.htm (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SIG^2 G-TEC] Fastream NETFile FTP/Web Server Directory Traversal


SIG^2 Vulnerability Research Advisory

Fastream NETFile FTP/Web Server Directory Traversal Vulnerability

by Tan Chew Keong
Release Date: 25 Apr 2005


ADVISORY URL
http://www.security.org.sg/vuln/netfileftp746.html


SUMMARY

Fastream NETFile FTP/Web Server 
(http://www.fastream.com/netfileserver.htm) is a secure FTP server and 
Web server combined together in one program. It claims to be the 
"easiest to setup and administer server" on the Internet.

A directory traversal vulnerability was found in NETFile FTP's web 
interface. This vulnerability may be exploited by a user with file 
upload/delete privileges to upload/delete files outside the FTP root, or 
by a user with directory create/remove privileges to create/remove 
directories outside the FTP root.


TESTED SYSTEM

Fastream NETFile FTP/Web Server Version 7.4.6 on English Win2K SP4.


DETAILS

NETFile FTP supports file upload/download and directory 
creation/deletion via a Web Interface. The Web Interface has a directory 
traversal vulnerability that was previously reported by Andres Tarasco 
Acuna. 
(http://packetstormsecurity.org/0407-advisories/Fastream_advisory.txt). 
It appears that this vulnerability was not sufficiently fixed and it is 
still exploitable by crafting the request in another way.

Shown below are sample requests to delete a file, to create a directory, 
and to remove a directory from outside the FTP root. To exploit this 
vulnerability, the user must have the appropriate FTP privileges to 
delete files and to create/remove directories.

http://[hostname]/?command=delete&filename=.../..//a/.../yyy.txt
http://[hostname]/?command=mkdir&filename=.../..//a/.../testdir
http://[hostname]/?command=rmdir&filename=.../..//a/.../testdir

Directory traversal vulnerability also exists when the server accepts 
file uploads via a POST request using the web interface. It is possible 
to use directory traversal characters to cause files to be saved outside 
the FTP root.


PATCH

1. Upgrade to Version 7.5.0 Beta 7 and above which fixes this particular 
directory traversal vulnerability.
2. Or, disable the web interface.
3. Or, allow only trusted users to upload/delete files and create/remove 
directories.


DISCLOSURE TIMELINE

17 Apr 05 - Vulnerability Discovered.
21 Apr 05 - Initial Vendor Notification.
21 Apr 05 - Initial Vendor Reply.
21 Apr 05 - Vendor Provided 7.5.0 Beta 6 for Testing.
21 Apr 05 - Informed Vendor that File-Upload Directory Traversal is not 
Fixed.
22 Apr 05 - Vendor Provided 7.5.0 Beta 7 for Testing.
25 Apr 05 - Public Release.


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC