Xlight FTP server is "a powerful ftp server with very small program size". Two vulnerabilities have been discovered in the product a directory traversal vulnerability (allows remote attackers to cause the product to display files that are outside the bound FTP root directory) and denial of service attack.
Credit:
The information has been provided by GSS IT.
Vulnerable systems:
* Xlight FTP Server version 1.40
Immune systems:
* Xlight FTP Server version 1.41
Directory Traversal:
Any authenticated user can read arbitrary files outside the bound FTP root directory by iussing the following command:
get ..\[Existent File]
recev ..\[Existent File]
Denial of Service:
Any authenticated user can crash the server by issuing the following command:
cd ~
Vendor status: "Thank you for the information. Vulnerability places under the prog have been found , the fix will come out very soon", a new version is available on the vendor's web site, the new version (1.41) includes fixes for both these vulnerabilities..
