FTP Server Directory Traversal
Created 3/9/01
Impact
The FTP server allows anonymous users to read arbitrary
files on the system. If the password or shadow file
can be read, the attacker could crack account passwords
and gain access to the system.
Background
Anonymous FTP servers normally service requests only for files under
the anonymous FTP home directory. For example, if server
has its anonymous FTP directory in /var/ftp, and
it receives a request for ftp://server/filename,
it sends the file /var/ftp/filename back
to the client.
The Problem
Operating systems allow path names to refer to a parent
directory using the "../" string. An attacker
could attempt to exploit this feature to retrieve files
from directories outside of the anonymous FTP directory.
Most FTP servers remove the "../" strings
from requested file names. However, some FTP servers can still
be exploited by using three dots instead of two (".../").
Other related CVE entries:
CAN 2001-0283 SunFTP
CAN 2001-0293 FtpXQ
CAN 2001-0294 TYPSoft
CVE 2001-0295 War FTP
CAN 2001-0480 Alex's FTP server
CAN 2001-0491 RaidenFTPd
CAN 2001-0582 CrushFTP
CVE 2001-0680 QPC QVT/Net and AVT/Term
CAN 2001-0694 WFTPD
CAN 2001-0767 GuildFTPd
CAN 2001-0931 Cooolsoft PowerFTP
CVE 2001-0963 SpoonFTP
CAN 2001-1031 Meteor FTP
CAN 2001-1109 EFTP
CAN 2001-1131 SlimFTPd
CVE 2001-1295 Cerberus FTP Server
CAN 2001-1300 Dynu
CAN 2002-0261 InstantServers MiniPortal
CAN 2002-1544 Cooolsoft
Resolutions
Contact the vendor of the FTP server for a fix. If
a fix is unavailable, it would be advisable to choose
a different FTP server.
Where can I read more about this?
For some examples of this vulnerability, see the
following postings to Bugtraq:
TYPSoft,
FtpXQ, and
SlimServe FTPd.