Intrusion Prevention

GlFTPd.Zip.Plugin.Directory.Traversal

Description

It indicates a possible directory traversal vulnerability in glFtp server software.


glFtp is an open source ftp server software for UNIX based systems. A directory traversal vulnerability is reported in it that may allow an attacker to read arbitrary file from vulnerable system which may lead to further attacks. This is due to zip plugins sitenfo.sh, sitezipchk.sh, and siteziplist.sh failure in application to properly validate user input. By exploiting this, an authenticated users may determine the existence of arbitrary files, list files in restricted directories, or read arbitrary files from within ZIP or gzip files, via .. sequences and globing * characters in a SITE NFO command.

Affected Products

GlFtpd 2.0 RC7 and prior versions.

Impact

Information disclosure leading to system compromise.

Recommended Actions

Apply appropriate patch from vendor if available.

CVE References

CVE-2005-0483