Info

Disclosure

May 28, 2001

Discovery

Unknown

Dates

Exploit

May 28, 2001

Solution

Unknown

Description

CesarFTP contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the program not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the GET command.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

ACLogic

CesarFTP

0.98b

References

Bugtraq ID: 2786
ISS X-Force ID: 6606
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-05/0252.html
CVE ID: 2001-1335 (see also: NVD)
Security Tracker: 1001624
Keyword: Directory Traversal

Credit

ByteRage - byterageyahoo.com - Personal Page

Direct URL: http://osvdb.org/36218