|
|
| |
| Xlight FTP server is "a powerful ftp server with very small program size". Two vulnerabilities have been discovered in the product a directory traversal vulnerability (allows remote attackers to cause the product to display files that are outside the bound FTP root directory) and denial of service attack. |
| |
Credit:
The information has been provided by GSS IT.
|
| |
Vulnerable systems:
* Xlight FTP Server version 1.40
Immune systems:
* Xlight FTP Server version 1.41
Directory Traversal:
Any authenticated user can read arbitrary files outside the bound FTP root directory by iussing the following command:
get ..\[Existent File]
recev ..\[Existent File]
Denial of Service:
Any authenticated user can crash the server by issuing the following command:
cd ~
Vendor status:
"Thank you for the information. Vulnerability places under the prog have been found , the fix will come out very soon", a new version is available on the vendor's web site, the new version (1.41) includes fixes for both these vulnerabilities..
|
|
|
|
|
