CrushFTP allows access to files outside the FTP root directory through directory traversal.
CrushFTP is a Java-based FTP server available for Linux, Mac OS, and Windows. CrushFTP can be configured to limit access to files under a designated FTP root directory. However, CrushFTP allows an attacker to get files outside this directory through '../' directory traversal.
CrushFTP allows an attacker to see any file in the filesystem, including potentially sensitive and critical system files.
Upgrade to version 2.1.7 or later of CrushFTP at:
Use chroot if available on your system, to limit the scope of CrushFTP's access to the filesystem.
Thanks to Joe Testa for discovering this vulnerability.
|Date First Published:||2001-12-20|
|Date Last Updated:||2001-12-20 16:50 UTC|