[28167] in bugtraq
Re: KunaniFTP-Server v.1.0.10 allows dictionary traversal
daemon@ATHENA.MIT.EDU (Alun Jones)
Wed Dec 11 20:10:21 2002
Message-Id: <4.3.2.7.2.20021210200304.01d40e20@208.55.91.110>
Date: Tue, 10 Dec 2002 20:04:21 -0600
To: "Zero-X www.lobnan.de Team" <zero-x@linuxmail.org>
From: Alun Jones <alun@texis.com>
In-Reply-To: <20021210222324.30479.qmail@linuxmail.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 04:23 PM 12/10/2002, Zero-X www.lobnan.de Team wrote:
>Ftp> get ..\..\..\..\..\boot.ini
>200 PORT command successful
>150 Opening ASCII mode data connection for /bin/ls.
I think an FTP server that's told to "get" a file, and returns that it's
opening a connection for "/bin/ls" (i.e. making a listing) likely has some
maturation ahead of it. Is this really what the server says, or is this
bad cutting-and-pasting from the true session?
Alun.
~~~~
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.
