Thursday, April 19, 2012

CompleteFTP Server 4.0.2 Directory Traversal Vulnerability

Description
CompleteFTP Server is a high-performance Windows FTP server supporting FTP, FTPS, SFTP and SCP. It features both Windows and non-Windows users and a fully configurable virtual file-system.

Sow Ching Shiong, an independent vulnerability researcher has identified a Directory Traversal vulnerability in CompleteFTP Server. This issue was discovered in a default installation of CompleteFTP Server 4.0.2. Other earlier versions may also be affected.

Proof of concept





Solution
Update to version 4.0.3 or later.

References

Vendor URL: http://www.enterprisedt.com/products/completeftp/history.html
Secunia: http://secunia.com/advisories/39852/

Disclosure Timeline
2010-05-18 - Vulnerability discovered.
2010-05-18 - Vulnerability reported to Secunia.
2010-05-19 - Secunia confirmed the vulnerability and contacted the vendor.
2010-06-02 - Patch released.
2010-06-02 - Advisory published by Secunia.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.