FTP Server Directory Traversal
Created 3/9/01
Related CVEs:
CVE 2001-0295
Impact
The FTP server allows anonymous users to read arbitrary
files on the system. If the password or shadow file
can be read, the attacker could crack account passwords
and gain access to the system.
Background
Anonymous FTP servers normally service requests only for files under
the anonymous FTP home directory. For example, if server
has its anonymous FTP directory in /var/ftp, and
it receives a request for ftp://server/filename,
it sends the file /var/ftp/filename back
to the client.
The Problem
Operating systems allow path names to refer to a parent
directory using the "../" string. An attacker
could attempt to exploit this feature to retrieve files
from directories outside of the anonymous FTP directory.
Most FTP servers remove the "../" strings
from requested file names. However, some FTP servers can still
be exploited by using three dots instead of two (".../").
Resolutions
Contact the vendor of the FTP server for a fix. If
a fix is unavailable, it would be advisable to choose
a different FTP server.
Where can I read more about this?
For some examples of this vulnerability, see the
following postings to Bugtraq:
TYPSoft,
FtpXQ, and
SlimServe FTPd.