[20772] in bugtraq
CesarFTP v0.98b triple dot Directory Traversal / Weak password encryption
daemon@ATHENA.MIT.EDU (ByteRage)
Mon May 28 12:28:00 2001
Message-ID: <20010527173308.24941.qmail@web13002.mail.yahoo.com>
Date: Sun, 27 May 2001 10:33:08 -0700 (PDT)
From: ByteRage <byterage@yahoo.com>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
CesarFTP v0.98b triple dot Directory Traversal / Weak
password encryption
AFFECTED SYSTEMS
CesarFTP v0.98b on Windows 9x / ME
DESCRIPTION
1) Directory Traversal
First, we need a directory where we have access to on
the victim host...
(Or we can create one if we have enough rights)
ftp://127.0.0.1/
might give us a directory RESTRICTED/ for example
now we do :
ftp://127.0.0.1/RESTRICTED/...%5c/
and we're out of the restricted subdirectory, we have
read access to the whole harddrive
2)
Once again an FTP server with weak password
encryption...
The username:password pairs are stored in plaintext in
the program directory. (\program
files\CesarFTP\settings.ini)
Combined with the directory traversal, the password
file can be easily attained by any user...
VENDOR STATUS
I have sent this advisory to <cesarftp@aclogic.com>
=======================================================
[ByteRage] <byterage@yahoo.com> [www.byterage.cjb.net]
=======================================================
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
