- ".."-hole in Broker FTP Server v.3.0 Build 1 -
There's a hole in Broker FTP Server v.3.0 Build 1. Here's an example:
You have it installed with FTP root in c:\FTProot and you have a user "test" with home directory in c:\FTProot\test. You also have checked the "Display as ROOT directory" checkbox for test, so he/she can't get below the home directory. CWD won't take him/here below it, but LIST will:
will list the contents of c:\winnt and
will also list the contents of c:\winnt. Of course this isn't as bad as if CWD or RETR had worked, but you probably don't want anybody to be able to look around in your private directories.
[Home] [Security Advisories] [The Toolbox] [The Trashcan]
© 1999, Arne Vidström