Vulnerability Note VU#110803
CrushFTP Server does not adequately filter user input thereby permitting directory traversal
CrushFTP allows access to files outside the FTP root directory through directory traversal.
CrushFTP is a Java-based FTP server available for Linux, Mac OS, and Windows. CrushFTP can be configured to limit access to files under a designated FTP root directory. However, CrushFTP allows an attacker to get files outside this directory through '../' directory traversal.
CrushFTP allows an attacker to see any file in the filesystem, including potentially sensitive and critical system files.
Upgrade to version 2.1.7 or later of CrushFTP at:
Use chroot if available on your system, to limit the scope of CrushFTP's access to the filesystem.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Ben Spink||Affected||29 Aug 2001||17 Nov 2001|
CVSS Metrics (Learn More)
Thanks to Joe Testa for discovering this vulnerability.
This document was written by Shawn Van Ittersum.
- CVE IDs: CAN-2001-0582
- Date Public: 23 May 2001
- Date First Published: 20 Dec 2001
- Date Last Updated: 20 Dec 2001
- Severity Metric: 0.11
- Document Revision: 12
If you have feedback, comments, or additional information about this vulnerability, please send us email.