La sécurité informatique - La sécurité des informations
Pablo Software Solutions FTP server Directory Traversal Vulnerability
Pablo Software Solutions FTP server version 1.0 build 9 shows files and directories that reside outside the normal FTP root directory.
Discovered on 2002, July, 20th
Vendor: Pablo Software Solutions
Pablo's FTP Server is a multi threaded FTP server for Windows 98/NT/XP. It comes with an easy to use interface and can be accessed from the system tray. The server handles all basic FTP commands and offers easy user account management and support for virtual directories. This FTP server can shows file and directory content that reside outside the normal FTP root directory.
The vulnerability can be done using the MS-DOS ftp client. When you are logged on the server, you can send a dir \..\, or a dir \..\WINNT, supposed your root directory is c:\ftp_server
Here is an example of the vulnerability. The query sent was dir \..\ :