Serv-U FTP Server Path Disclosure Vulnerability

The default settings for Serv-U cause the server to give out full physical path information in the following circumstances.

A user attempting to retreive a non-existant file or change to a non-existant directory will see:
550 /d:/ftproot/nonexist: No such file or directory.

A user changing to an existing directory will see:
250 Directory changed to /d:/ftproot/exist

This information could be used to simplify other attacks.


 

Privacy Statement
Copyright 2010, SecurityFocus