[Full-disclosure] (no subject)

From: Donato Ferrante (fdonato_at_autistici.org)
Date: 08/24/05

  • Next message: James Tucker: "Re: [Full-disclosure] talk.google.com"
    Date: Wed, 24 Aug 2005 14:59:57 -0000
    To: <bugtraq@securityfocus.com>, <vuln@secunia.com>, <full-disclosure@lists.grok.org.uk>, <bugs@securitytracker.com>, <news@securiteam.com>
    
    

                               Donato Ferrante

    Application: Home Ftp Server
                  http://downstairs.dnsalias.net/homeserver.html

    Version: 1.0.7 b45

    Bugs: Multiple Vulnerabilities

    Date: 24-Aug-2005

    Author: Donato Ferrante
                  e-mail: fdonato@autistici.org
                  web: www.autistici.org/fdonato

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    1. Description
    2. The bugs
    3. The code
    4. The fix

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ----------------
    1. Description:
    ----------------

    Vendor's Description:

    "Home ftp server is a very easy to use Windows FTP server application
     with all the nice ftp features included."

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    -------------
    2. The bugs:
    -------------

    i. Information Discolusure, the program by default stores users
        information ("ftpmembers.lst") and ftp server settings
        ("ftpsettings.lst") into program's directory which is the default
        users home directory.
        Note that ftpmembers.lst and ftpsettings.lst are in clear text.
        So a malicious user once logged in, can see server settings and
        users info in the home directory.

    ii. Directory Traversal, the program allows users to see and/or
        download (if Allow download files is enabled) all the files
        available on the remote system.

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    -------------
    3. The code:
    -------------

    www.autistici.org/fdonato/poc/HomeFtpServer107b45_MV_poc.py

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ------------
    4. The fix:
    ------------

    No fix.
    No reply from vendor.

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: James Tucker: "Re: [Full-disclosure] talk.google.com"