Pablos FTP Server Unauthorized File Existence Disclosure Vulnerability
BID:9443
Info
Pablos FTP Server Unauthorized File Existence Disclosure Vulnerability
| Bugtraq ID: | 9443 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 19 2004 12:00AM |
| Updated: | Jan 19 2004 12:00AM |
| Credit: | Discovered by scrap <[email protected]>. |
| Vulnerable: |
Pablo Software Solutions Pablos FTP Server 1.77 |
| Not Vulnerable: |
Pablo Software Solutions Pablos FTP Server 1.8 |
Discussion
Pablos FTP Server Unauthorized File Existence Disclosure Vulnerability
A vulnerability reportedly affects Pablos FTP server that can allow for a remote attacker to determine whether files outside of the FTP root directory exist or not. This behavior is exhibited when a client attempts to delete a file outside of the FTP root directory using a relative path comprised of ".." sequences. While the file is not deleted in any case, the error message displayed will differ depending on whether or not the file exists.
A vulnerability reportedly affects Pablos FTP server that can allow for a remote attacker to determine whether files outside of the FTP root directory exist or not. This behavior is exhibited when a client attempts to delete a file outside of the FTP root directory using a relative path comprised of ".." sequences. While the file is not deleted in any case, the error message displayed will differ depending on whether or not the file exists.
Exploit / POC
Solution / Fix
Pablos FTP Server Unauthorized File Existence Disclosure Vulnerability
Solution:
This vulnerability is reportedly eliminated in version 1.8, available at:
http://home.kabelfoon.nl/~pablovdm/download/ftpserver180.zip
Solution:
This vulnerability is reportedly eliminated in version 1.8, available at:
http://home.kabelfoon.nl/~pablovdm/download/ftpserver180.zip
References
Pablos FTP Server Unauthorized File Existence Disclosure Vulnerability
References:
References: