Directory Traversal Vulnerability in EFTP

Reported December 28, 2001, by Ertan Kurt.

VERSION AFFECTED

  • Encrypted File Transfer Protocol 2.0.8.346 for Windows

 

DESCRIPTION
A vulnerability exists in Encrypted File Transfer Protocol 2.0.8.346 that an attacker can use to break out of his or her home directory and see the contents of every drive and directory on the vulnerable host. Issuing the command “CWD …” and then “CWD \” changes the current directory to the root drive. However, the attacker has to following the procedure listed above he or she wants to change the working directory to list another directory’s content.

 

VENDOR RESPONSE

The vendor, Encypted FTP, has issued release 2.0.8.348, which corrects this vulnerability.

 

CREDIT
Discovered by Ertan Kurt.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish