CrushFTP allows access to files outside the FTP root directory through directory traversal.
CrushFTP is a Java-based FTP server available for Linux, Mac OS, and Windows. CrushFTP can be configured to limit access to files under a designated FTP root directory. However, CrushFTP allows an attacker to get files outside this directory through '../' directory traversal.
CrushFTP allows an attacker to see any file in the filesystem, including potentially sensitive and critical system files.
Upgrade to version 2.1.7 or later of CrushFTP at:
Use chroot if available on your system, to limit the scope of CrushFTP's access to the filesystem.
Thanks to Joe Testa for discovering this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2001-12-20|
|Date Last Updated:||2001-12-20 16:50 UTC|