Donato Ferrante Application: Home Ftp Server http://downstairs.dnsalias.net/homeserver.html Version: 1.0.7 b45 Bugs: Multiple Vulnerabilities Date: 24-Aug-2005 Author: Donato Ferrante e-mail: fdonato@autistici.org web: www.autistici.org/fdonato xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1. Description 2. The bugs 3. The code 4. The fix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---------------- 1. Description: ---------------- Vendor's Description: "Home ftp server is a very easy to use Windows FTP server application with all the nice ftp features included." xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 2. The bugs: ------------- i. Information Discolusure, the program by default stores users information ("ftpmembers.lst") and ftp server settings ("ftpsettings.lst") into program's directory which is the default users home directory. Note that ftpmembers.lst and ftpsettings.lst are in clear text. So a malicious user once logged in, can see server settings and users info in the home directory. ii. Directory Traversal, the program allows users to see and/or download (if Allow download files is enabled) all the files available on the remote system. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 3. The code: ------------- www.autistici.org/fdonato/poc/HomeFtpServer107b45_MV_poc.py xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 4. The fix: ------------ No fix. No reply from vendor. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx