Netwin SurgeFTP Server Information Disclosure Vulnerability

SurgeFTP is a multiplatform FTP server from Netwin Software, with versions supporting Windows NT, 2000, 95 and 98 as well as RedHat Linux 5-7 and FreeBSD.

The Windows 95/98 version of the server is vulnerable to a directory traversal attack. It may be possible for attackers to obtain a listing of files and directories outside the normal FTP root directory. An attacker could list files containing confidential user data or sensitive system files which, if obtained through other methods, could further undermine the site's security.

It is believed, but has not been verified, that this issue will effect only Windows 98 platforms, as NT does not honor the '...' convention.


Privacy Statement
Copyright 2010, SecurityFocus