| VID |
16034 |
| Severity |
30 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
The anonymous FTP server has a directory traversal vulnerability. A remote attacker can issue a LIST (ls) command followed by "dot dot" sequences (in the form ls /../../../) to traverse directories and browse the user's hard disk or list files outside of the FTP root directory.
* CVE references related to this flaw:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1101
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0294
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0450
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0491
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0680
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0698
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1031
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1109
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0877
* References:
http://www.securiteam.com/windowsntfocus/5SP0M0055W.html
http://www.securiteam.com/windowsntfocus/6W00G206AM.html
http://www.der-keiler.de/Mailing-Lists/Securiteam/2001-08/0083.html |
| Recommendation |
Contact your vendor for a patch or an upgrade. If the patch or the upgrade for this flaw is not available, then use another FTP server. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
