Sarid Harper has discovered a vulnerability in Golden FTP Server, which can be exploited by malicious, anonymous individuals to delete arbitrary files.
The vulnerability is caused by an error in the way FTP “DELE” requests are handled. This can be exploited to escape the FTP root and delete arbitrary files on the affected system by using the “../” character sequence.
Successful exploitation of this vulnerability requires that the “Enable full control” option is enabled.
This vulnerability is confirmed in the following versions:
- Golden FTP Server 4.30 Free
- Golden FTP Server 4.30 Professional
Other versions may also be afected.
my $ftp = Net::FTP->new(“192.168.1.35″, Debug => 1) || die $@;
$ftp->login(“anonymous”, ‘firstname.lastname@example.org’) || die $ftp->message;
# The FTP root is, via the configuration, set to C:\ftp\public
$ftp->cwd(“/public/”) || die $ftp->message;
# This deletes the file C:\bollocks.txt
$ftp = undef;
Update to version 4.70 Free or Professional.
- Vulnerability identified: 29.10.09
- Vendor informed: 11.11.09
- Vendor fix: 17.02.10