Mindstorm Networks SmartFTP Daemon 0.2 Directory Traversal Vulnerability

Each time an account is added to Mindstorm Networks SmartFTP Daemon, a unique user file is created that contains the password, user rights, and other pertinent details and utilizes the filename format of username.FTP_user. A user who has an existing account on SmartFTP Daemon (including anonymous) and possesses write access can gain full access to the host by modifying this particular user file and uploading it to anywhere on the filesystem.

This can be accomplished by uploading a specially modified user file with a filename of username.FTP_user containing an arbitrary username and full access rights. This file can then be accessed by entering a username of "../path/username" (the number of '../' corresponding with the number of directories to traverse) at the login prompt. This will grant access to the ftp server with the access rights specified in the user file.


Privacy Statement
Copyright 2010, SecurityFocus