Opened 12 years ago

Closed 12 years ago

#3762 closed Bug report (rejected)

system path disclosure

Reported by: Juan Pablo Lopez Yacubian Owned by:
Priority: normal Component: FileZilla Server
Keywords: Cc:
Component version: Operating system type: Windows
Operating system version: sp 2

Description (last modified by Tim Kosse)

The vulnerability occurs because the command "mput" lets you list the names of the files of any directory on the disc. While you can not have access to files, this can create a map of the disc.

POC


Microsoft Windows XP [Versión 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\admin>ftp
ftp> open 127.0.0.1 21
Conectado a 127.0.0.1.
220 <script>alert(1)</script>
Usuario (127.0.0.1:(none)): juan
331 Password required for juan
Contraseña:
230 Logged on
ftp> mput
Archivos locales c:\windows\*.*
mput c:\windows\.?
Error al abrir el archivo local c:\windows\..
mput c:\windows\..?
Error al abrir el archivo local c:\windows\...
mput c:\windows\$hf_mig$?
Error al abrir el archivo local c:\windows\$hf_mig$.
mput c:\windows\$MSI31Uninstall_KB893803v2$?
Error al abrir el archivo local c:\windows\$MSI31Uninstall_KB893803v2$.
mput c:\windows\$NtServicePackUninstallIDNMitigationAPIs$?
Error al abrir el archivo local c:\windows\$NtServicePackUninstallIDNMitigationA
PIs$.
mput c:\windows\$NtServicePackUninstallNLSDownlevelMapping$?
Error al abrir el archivo local c:\windows\$NtServicePackUninstallNLSDownlevelMa
pping$.
mput c:\windows\$NtUninstallKB835221WXP$?
Error al abrir el archivo local c:\windows\$NtUninstallKB835221WXP$.
mput c:\windows\$NtUninstallKB873339$?
Error al abrir el archivo local c:\windows\$NtUninstallKB873339$.
mput c:\windows\$NtUninstallKB885835$?

Change History (5)

comment:1 Changed 12 years ago by Juan Pablo Lopez Yacubian

Operating system type: Windows


any questions, discuss and include more details

greetings!

Juan Pablo Lopez Yacubian

comment:2 Changed 12 years ago by Tim Kosse

Description: modified (diff)
Status: newmoreinfo

mput is just a client command, you need to attach the actual FTP communication. Also, set language to English, I cannot understand that strange language in your report.

comment:3 Changed 12 years ago by Juan Pablo Lopez Yacubian

Status: moreinfonew

cite : "mput is just a client command"

The problem is the result of that command .. that runs on the server ...

cite : "Also, set language to English, I cannot understand that strange language in your report."

the ftp log is quite clear..


C: \ Documents and Settings \ admin> ftp
FTP> Open 127.0.0.1 21
Connected to 127.0.0.1.
220 <script> alert (1) </ script>
User (127.0.0.1: (none)): user
331 Password required for user
Password:
Logged on 230
FTP> mput
Archives local c: \ windows \ *.*
mput c: \ windows \.?
Failed to open the local file c: \ windows \ ..
mput c: \ windows \ ..?
Failed to open the local file c: \ windows \ ...
mput c: \ windows \ hf_mig $ $?

comment:4 Changed 12 years ago by Juan Pablo Lopez Yacubian

when sending the command "mput" in the log of server appears this:

(000031) 11/09/2008 16:29:35 p.m. - juan (127.0.0.1)> 230 Logged on
(000031) 11/09/2008 16:29:56 p.m. - juan (127.0.0.1)> PORT 127,0,0,1,10,91
(000031) 11/09/2008 16:29:56 p.m. - juan (127.0.0.1)> 200 Port command successful
(000031) 11/09/2008 16:29:56 p.m. - juan (127.0.0.1)> STOR filaname.html
(000031) 11/09/2008 16:29:56 p.m. - juan (127.0.0.1)> 550 Permission denied
(000031) 11/09/2008 16:29:57 p.m. - juan (127.0.0.1)> PORT 127,0,0,1,10,92
(000031) 11/09/2008 16:29:57 p.m. - juan (127.0.0.1)> 200 Port command successful

comment:5 Changed 12 years ago by Tim Kosse

Resolution: rejected
Status: newclosed

According to the log, everything is just fine.

Note: See TracTickets for help on using tickets.