CesarFTP v0.98b triple dot Directory Traversal / Weak password encryption AFFECTED SYSTEMS CesarFTP v0.98b on Windows 9x / ME DESCRIPTION 1) Directory Traversal First, we need a directory where we have access to on the victim host... (Or we can create one if we have enough rights) ftp://127.0.0.1/ might give us a directory RESTRICTED/ for example now we do : ftp://127.0.0.1/RESTRICTED/...%5c/ and we're out of the restricted subdirectory, we have read access to the whole harddrive 2) Once again an FTP server with weak password encryption... The username:password pairs are stored in plaintext in the program directory. (\program files\CesarFTP\settings.ini) Combined with the directory traversal, the password file can be easily attained by any user... VENDOR STATUS I have sent this advisory to <[EMAIL PROTECTED]> ======================================================= [ByteRage] <[EMAIL PROTECTED]> [www.byterage.cjb.net] ======================================================= __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
