CVE-2004-0676
CVSS10.0
发布时间 :2004-08-06 00:00:00
修订时间 :2016-10-17 22:47:39
NMCOES    

[原文]Directory traversal vulnerability in Fastream NETFile FTP/Web Server 6.7.2.1085 and earlier allows remote attackers to create or delete arbitrary files via .. (dot dot) and // (double slash) sequences in the filename parameter.


[CNNVD]Fastream NETFile FTP/Web Server输入验证错误漏洞(CNNVD-200408-082)

        Fastream NETFile Server是一款安全加强的FTP和WEB服务程序。
        Fastream NETFile FTP/Web Server 6.7.2.1085和早期版本存在多个输入验证错误问题,远程攻击者可以利用这个漏洞绕过ROOT目录限制,破坏系统。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:fastream:netfile_ftp_web_server:6.5.1.980
cpe:/a:fastream:netfile_ftp_web_server:6.7.2.1085
cpe:/a:fastream:netfile_ftp_web_server:6.5.1.981

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0676
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0676
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-082
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=108904874104880&w=2
(UNKNOWN)  BUGTRAQ  20040704 Fastream NETFile FTP/Web Server Input validation Errors
http://www.haxorcitos.com/Fastream_advisory.txt
(UNKNOWN)  MISC  http://www.haxorcitos.com/Fastream_advisory.txt
http://www.securityfocus.com/bid/10658
(VENDOR_ADVISORY)  BID  10658
http://xforce.iss.net/xforce/xfdb/16613
(VENDOR_ADVISORY)  XF  fastream-mkdir-file-upload(16613)

- 漏洞信息

Fastream NETFile FTP/Web Server输入验证错误漏洞
危急 输入验证
2004-08-06 00:00:00 2005-10-20 00:00:00
远程  
        Fastream NETFile Server是一款安全加强的FTP和WEB服务程序。
        Fastream NETFile FTP/Web Server 6.7.2.1085和早期版本存在多个输入验证错误问题,远程攻击者可以利用这个漏洞绕过ROOT目录限制,破坏系统。
        

- 公告与补丁

        厂商补丁:
        Fastream
        --------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        下载使用Fastream NETFile FTP/Web Server v6.7.3版本:
        
        http://www.fastream.com/netfileserver.htm

- 漏洞信息 (24252)

Fastream NetFile FTP/Web Server 6.5/6.7 Directory Traversal Vulnerability (EDBID:24252)
cgi webapps
2004-07-05 Verified
0 Andres Tarasco Acuna
N/A [点击下载]
source: http://www.securityfocus.com/bid/10658/info

The NetFile FTP/Web Server is reported prone to a directory traversal vulnerability due to insufficient sanitization of user-supplied data. This can allow an attacker to create, view, and delete arbitrary files outside the web root.

Fastream NetFILE FTP/Web Server versions 6.7.2.1085 and prior are reported prone to this issue.

http://www.example.com?command=mkdir&filename=..//FOLDER_IS_OUTSIDE_THE_ROOT_DIRECTORY		

- 漏洞信息

7478
Fastream NETFile Web Server Arbitrary File Manipulation

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-07-04 Unknow
2004-07-04 Unknow

- 解决方案

Upgrade to version 6.7.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Fastream NetFile FTP/Web Server Directory Traversal Vulnerability
Input Validation Error 10658
Yes No
2004-07-05 12:00:00 2009-07-12 06:16:00
Discovery is credited to Andres Tarasco Acuna <at4r@haxorcitos.com>.

- 受影响的程序版本

Fastream NetFILE FTP/Web Server 6.7.2 .1085
Fastream NetFILE FTP/Web Server 6.5.1 .981
Fastream NetFILE FTP/Web Server 6.5.1 .980
Fastream NetFILE FTP/Web Server 6.7.5
Fastream NetFILE FTP/Web Server 6.7.3

- 不受影响的程序版本

Fastream NetFILE FTP/Web Server 6.7.5
Fastream NetFILE FTP/Web Server 6.7.3

- 漏洞讨论

The NetFile FTP/Web Server is reported prone to a directory traversal vulnerability due to insufficient sanitization of user-supplied data. This can allow an attacker to create, view, and delete arbitrary files outside the web root.

Fastream NetFILE FTP/Web Server versions 6.7.2.1085 and prior are reported prone to this issue.

- 漏洞利用

No exploit is required.

The following proof of concept is available:
http://www.example.com?command=mkdir&amp;filename=..//FOLDER_IS_OUTSIDE_THE_ROOT_DIRECTORY

- 解决方案

The vendor has released new versions to address this issue.


Fastream NetFILE FTP/Web Server 6.5.1 .981

Fastream NetFILE FTP/Web Server 6.5.1 .980

Fastream NetFILE FTP/Web Server 6.7.2 .1085

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站