November 27, 2000
Winsock FTPd is a popular FTP server from Texas Imperial Software.
A vulnerability exists in Winsock FTPd that could allow an unauthorized user to browse the root directory of the drive where Winsock FTPd has been installed.
During install, Winsock FTPd allows the administrator to "Restrict to home directory and below" effectively creating a chroot jail for users. Upon logging in, a user can pass a the server a malformed change directory request that will allow any user (including anonymous) to browse the root directory and possibly retrieve/write files to the root directory on which Winsock FTPd resides.
Upon connecting to the Winsock FTPd server, a user could issue the command: cd ../../ This will normally result in the message "User is not allowed to ../../" and will be returned to their chroot jail directory.
If the user issues the following command: cd /../.. they will not receive the "User is not allowed to" message and will change directory to root on the drive or partition where Winsock FTPd has been installed.
If the administrator has installed Winsock FTPd on the same drive or partition that contains the operating system, a remote attacker could gain access to systems files, password files, etc. that could lead to a complete system compromise.
- Texas Imperial Software WFTPD 2.41.0 RC14
- Texas Imperial Software WFTPD 2.41.0 RC14 Pro
- Texas Imperial Software WFTPD 3.0.0 Pro
The vendor has issued the following upgrades that fix this vulnerability:
This vulnerability was first reported to Bugtraq on November 27, 2000 by Interstellar Overdrive
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and email@example.com
are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.