CesarFTP v0.98b triple dot Directory Traversal / Weak password encryption AFFECTED SYSTEMS CesarFTP v0.98b on Windows 9x / ME DESCRIPTION 1) Directory Traversal First, we need a directory where we have access to on the victim host... (Or we can create one if we have enough rights) ftp://127.0.0.1/ might give us a directory RESTRICTED/ for example now we do : ftp://127.0.0.1/RESTRICTED/...%5c/ and we're out of the restricted subdirectory, we have read access to the whole harddrive 2) Once again an FTP server with weak password encryption... The username:password pairs are stored in plaintext in the program directory. (\program files\CesarFTP\settings.ini) Combined with the directory traversal, the password file can be easily attained by any user... VENDOR STATUS I have sent this advisory to <cesarftpat_private> ======================================================= [ByteRage] <byterageat_private> [www.byterage.cjb.net] ======================================================= __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
This archive was generated by hypermail 2b30 : Mon May 28 2001 - 09:28:33 PDT