Small ftpd Directory Traversal Vulnerability

Full Version: Small ftpd Directory Traversal Vulnerability

GovernmentSecurity.org > The Archives > Exploit Articles

ComSec

May 5 2003, 01:44 PM

Small ftpd Directory Traversal Vulnerability

Release Date:
2003-05-02

Critical:
Moderately critical
Impact:
Exposure of system information
Exposure of sensitive information

Where:
From remote

Software:
Small ftpd 1.x

Description:
Small ftpd fails to verify input supplied to the command "CWD". This allows malicious users to supply '\..' as an argument, thus allowing them to traverse the directory structure.

The vulnerability has been reported in version 1.02. Other versions may also be affected.

Solution:
Allow only trusted users access. Filter malicious requests in a FTP proxy or firewall with filtering capabilities.

Reported by / credits:
aT4r InsaN3

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.