- ".."-hole in Broker FTP Server v.3.0 Build 1 -

There's a hole in Broker FTP Server v.3.0 Build 1. Here's an example:

You have it installed with FTP root in c:\FTProot and you have a user "test" with home directory in c:\FTProot\test. You also have checked the "Display as ROOT directory" checkbox for test, so he/she can't get below the home directory. CWD won't take him/here below it, but LIST will:

LIST ..\..\winnt\

will list the contents of c:\winnt and

NLST ..\..\winnt\

will also list the contents of c:\winnt. Of course this isn't as bad as if CWD or RETR had worked, but you probably don't want anybody to be able to look around in your private directories.

[Home]  [Security Advisories]  [The Toolbox]  [The Trashcan]

© 1999, Arne Vidström