I had a hell of a time getting through to Veritas, but after I did they
reacted VERY quickly. I apologize that I didn't get this info out to the
general community sooner, but Veritas didn't tell me that they released
the fix.
In the name of full disclosure:
synopsis:
"When using VERITAS
Vulnerability:
users can break out of their root directory and list
directories.
Depending on the priv. you have other commands
like delete maybe
executed outside of the home. directory.
e:\crap\ was used as homedir.
deleting files in e:\crap is enabled
Detail:
Problem: Again relative
When sending a command (cwd) followed by a long
argument (~500 char '.')
the server crashes with:
Anwendungspopup: WFTPD Service Control:
WFTPD.EXE - Fehler in Anwendung:
Die Anweisung in "0x2e2e2e2e" verweist auf
Speicher
in "0x2e2e2e2e". Der Vorgang
"read" konnte nicht auf dem Speicher
The executable rfupd.exe included in the Reality Fusion products bundled
with many popular cameras sends the following data to 204.176.10.168 port
80 every time you use the app, reboot your computer or change
configuration.
-
GET /GCSE/Messages/todolist04.tag HTTP/1.1
If-Modified-Since: Sat,
Faststram FTP built in server responds with the real
path of directory
instead of a virtual one.It is possible to get files
outside of root.dir.
e:\crap was used as root directory
1. directory path
230 User anonymous logged in.
ftp pwd
257 "/E:/crap/" is current directory.
2. getting files
it is possible to view dir. and (download) files outside
of the wwwroot directory.
Exploit:
http://127.0.0.1/.../
http://127.0.0.1/.../.../directory/file.xxx
Solution:
disable folder listings (it is enabled by default), which
will secure you from
viewing dir. outside of the wwwroot dir.But
I noticed Caldera released a patch for mail today on Bugtraq.
"This security fix closes Caldera's internal Problem Report 9327."
http://www.securityfocus.com/archive/1/166232
Quite the coincidence.
Here's the vuln-dev thread:
On Wed, 14 Feb 2001, Marc Roessler wrote:
there is some security related problem with kicq.
The authors were contacted and provided with a suggestion for a patch
which should be available soon.
I did not find anything on the archive on this, so here we go.
kicq is a free icq client clone