root directory
Affects: Walusoft TFTPServer2000 Version 3.6.1
Fixed in: No fix currently available.
Risk: Medium
Vulnerability Description: Walusoft TFTPServer2000 Version 3.6.1 are prone to a directory-traversal vulnerability because it fails to sanitize TFTP GET requests. By using a specially crafted TFTP GET request an attacker is capable of retrieving files outside of the TFTP root directory.
Impact: The ability to obtain files outside of the TFTP root directory may allow an attacker to obtain more information about the underlying operating system and applications running on the host.
Keywords: security, vulnerability, tftp, directory traversal, princeofnigeria, gui, windows, server
See http://www.adobe.com/support/security/bulletins/apsb10-18.html
ColdFusion 9
1. Download CFIDE-9.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-9.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
5. Restart all the ColdFusion instances.
ColdFusion 8.0.1
Overview:
"Core FTP Server" and "Core FTP mini-core sftp server" are both products of Core FTP that allow you to exchange files with others via networks and the internet. I have tested the SFTP module of "Core FTP Server" before and found there are several Denial of Service and Directory Traversal vulnerabilities. It seems "Core FTP mini-core sftp server" has behaved the same way as Core FTP Server does--They have the same vulnerabilities.
1. Directory Traversal vulnerability:
$m = $sftp->mkdir("../A/");# create a folder outside the root directory
2. Denial of Service vulnerability:
$o1 = $sftp->open("A" x 10000);
$o2 = $sftp->open("test", "O_RDWR", "A" x 10000);
$o3 = $sftp->open("test", $FUZZ, 0666); $o3 = $sftp->open("test", $FUZZ, 0666);
location of console.log files on a per-jail basis.
In addition, the solution described below does not fully secure jail
configurations where two jails have overlapping directory trees and a
file system is mounted inside the overlap. Overlapping directory
trees can occur when jails share the same root directory; when a jail
has a root directory which is a subdirectory of another jail's root
directory; or when a part of the file system space of one jail is
mounted inside the file system space of another jail, e.g., using
nullfs or unionfs.
modifications it is trivial to produce a working exploit. Our approach for
a proof-of-concept test was to modify VMFtp's source code to replace all
occurrences of ''+'' with ''\xc2'' in an input pathname.
After doing the above, the following command on a modified VMFtp client
list the contents of the root directory of the Host's file system and then
uploads a file from the Guest system to the root directory of the Host system.
/-----------
cd existing_share
Affects: TFTPUtil GUI versions 1.2.0 and 1.3.0
Fixed in: 1.4.0
Risk: Medium
Vulnerability Description: TFTPUtil GUI versions 1.2.0 and 1.3.0 are prone to a directory-traversal vulnerability because it fails to sanitize TFTP GET requests. By using a specially crafted TFTP GET request an attacker is capable of retrieving files outside of the TFTP root directory.
Impact: The ability to obtain files outside of the TFTP root directory may allow an attacker to obtain more information about the underlying operating system and applications running on the host.
Keywords: security, vulnerability, tftp, directory traversal, princeofnigeria, gui, windows, server
Earlier versions may also be affected
Overview:
Home FTP Server is an easy use FTP server Application. Directory Traversal Vulnerability exists in Home FTP Server that
allows an authenticated user to create directories outside the FTP root directory, which may lead to other attacks.
Details:
Home FTP Server fails to sufficiently sanitize user-supplied input in 'MKD' command. An authenticated user could use command
"MKD ../A" to create a folder named "A" outside the FTP root directory.
1. Log on to your system using the installation owner account and
make sure the environment is set up correctly:
1. II_SYSTEM must be set to the Ingres system files
2. PATH must include $II_SYSTEM/bin and $II_SYSTEM/utility
directories.
2. Change directory to the root directory of the Ingres
installation or use a previously created directory.
cd $II_SYSTEM/ingres
or
cd <patch_directory>
3. Copy the download maintenance update file in to the current
Affects: NetDecision TFTP Server 4.2
Fixed in: N/A
Risk: MEDIUM
Vulnerability Description: NetDecision TFTP Server 4.2 is prone to a directory-traversal vulnerability because it fails to sanitize TFTP GET and PUT requests. By using a specially crafted TFTP request an attacker is capable of putting (PUT) and retrieving (GET) files outside of the TFTP root directory.
Impact: The ability to PUT and GET files outside of the TFTP root directory may allow an attacker to obtain more information about the underlying operating system and applications running on the host. Additionally, malicious code can be uploaded to the host operating system.
[--Background--]
1.vendor description of software
------------------------------------------------
TurboFTP Server is a high performance, secure, scalable and management friendly file transfer server running on Windows platforms. With it you can easily set up a secure file transfer server that delivers regular FTP, FTP over SSL/TLS, and "SFTP over SSH" services with virtual domains, advanced directory access control, virtual folders, IP access control, flexible authentication options and many other features.
2.vulnerability details:
------------------------------------------------
Directory Traversal Vulnerability exists in "FTP" and "SFTP" module of Turbo FTP Server that allows an authenticated user to create directories outside the root directory, which may lead to other attacks.
If you could log on the server successfully,
take the following steps to create folders outside the sftp root directory:
1. $ssh2 = Net::SSH2->new();
2. $ssh2->connect($server, $port);
From netVigilance:
Disable warning messages: modify in the php.ini file following line: display_errors = Off.
From vendor:
Modify .htaccess file to include 'php_flag register_globals off' (this will work only for the Apache servers). Amend admin/config.php to include 'error_reporting(0);'
Update critical files in the /admin, /rss and root directory of the installation (all MySQL error reporting removed)
Example:
Path Disclosure Vulnerability 1:
REQUEST:
http://[TARGET]/[PRODUCT DIRECTORY]/news.php
user 0m0.040s
sys 0m0.010s
Depending on the DBMS configuration, creation of arbitrary files and/or
code execution might also be possible. The following example illustrates
the creation of a PHP script within the web application's root directory
using the SELECT .. INTO DUMPFILE functionality provided by MySQL:
$ ./sql_inject.sh a3779402b23fa4acdcba6be907521acb user@example.com "" \
"1=0)) UNION SELECT '','','<?php phpinfo();?>'
INTO DUMPFILE 'c:/Program Files/Merak/html/webmail/phpinfo.php'-- "
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
Chroot is an operation that changes the apparent root directory for the
current process and its children. The chroot(2) system call is widely
used in many applications as a measure of limiting a process's access to
the file system, as part of implementing privilege separation.
The nsdispatch(3) API implementation has a feature to reload its
.text:0001A6CB mov [ebp+var_28], esi
.text:0001A6CE cmp esi, edi
.text:0001A6D0 jz short loc_1A74F
.text:0001A6D2 mov edi, [ebp+ObjectAttributes]
.text:0001A6D5 mov eax, [edi+OBJECT_ATTRIBUTES.RootDirectory] ;
Here, the code retrieves the RootDirectory's field value from the
structure, controled by us.
.text:0001A6D8 test eax, eax
.text:0001A6DA jz short loc_1A71B
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I confirm this affects GoDaddy hosting too. Found a file called
ferdy_simonette.php in my web hosting root directory.
This file injects malicious code in all the .php and .html files in
your hosting directory and subdirectories (and maybe other file
extensions).
--- [ Remote File Upload Vulnerability ] ---
===============================================
A remote file upload vulnerability is present in LightBlog version 9.5.
Users without permissions are able to upload any kind of files, also .php; so the attacker can upload their own remote PHP
shell.
The file vulnerable is: cp_upload_image.php, and you can find it under the root directory of the blog uploaded. (shown
in the section PoC).
--- [ PoC ] ---
===============
1) List arbitrary directories
Any directory within the file system of the phone can be browsed, beyond the limits of the default shared folder (the SDCard).
The following example is the output of a command for listing a directory with ObexFTP. Given the Bluetooth MAC address of an HTC / Android based mobile phone and the path ../, the command retrieves the content of the parent of the default directory of the FTP server, this is the root directory of the disk file system:
gospel@ubuntu:~$ obexftp -b 90:21:55:8C:2C:3A -l "../"
Browsing 90:21:55:8C:2C:3A ...
Connecting..\done
Tried to connect for 29ms
An input validation problem exists within JSPWiki which allows to
execute (include) arbitrary local .jsp files. An attacker may leverage
this issue to execute arbitrary server-side script code on a vulnerable
server with the privileges of the web server process.
Example (including rss.jsp file from the application root directory):
http://server/JSPWikiPath/Edit.jsp?page=Main&editor=../../../rss
Note: page parameter must be an existing page on the server.
This grants an attacker unauthorized access to sensitive .jsp files on
-----------------------------
Exploit
-----------------------------
View shares on device:
http://[DEVICE IP OR HOSTNAME]/cgi-bin/smbwebclient.php?path=WORKGROUP%2F[DEVICE NAME]
(Device name is found in title of webpage on root directory of device)
View all shares on device's local network:
http://[DEVICE IP OR HOSTNAME]/cgi-bin/smbwebclient.php
-----------------------------
files outside of the temporary directory.
In the applications like the one in question this results in
a remote PHP code execution vulnerability, because we are
able to drop new PHP files in writable directories within
the webserver's document root directory.
Details:
No details required. To exploit this an attacker just needs to
*******************************************************************************
Overview:
XM Easy Personal FTP Server failed to handle more than 2000 files or folders in
the root directory.
*******************************************************************************
Details:
if you could log on the server, take the following steps and the server will
|
