发布时间 :2004-12-31 00:00:00
修订时间 :2017-07-18 21:29:00

[原文]Directory traversal vulnerability in the FTP server in TriDComm 1.3 and earlier allows remote attackers to read or write arbitrary files via a .. (dot dot) in FTP commands such as (1) DIR, (2) GET, or (3) PUT.

[CNNVD]Tridcomm 1.3远程目录遍历漏洞(CNNVD-200412-1149)

        提交包含多个'../'字串的数据,可导致绕过WEB ROOT限制,以进程权限查看文件内容。

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20041006 Directory traversal in Tridcomm 1.3
(UNKNOWN)  BID  11343
(UNKNOWN)  XF  tridcomm-dotdot-directory-traversal(17631)

- 漏洞信息

Tridcomm 1.3远程目录遍历漏洞
中危 输入验证
2004-12-31 00:00:00 2005-10-20 00:00:00
        提交包含多个'../'字串的数据,可导致绕过WEB ROOT限制,以进程权限查看文件内容。

- 公告与补丁


- 漏洞信息

TriDComm FTP Server Traversal Arbitrary File Manipulation
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

TriDComm contains a flaw that allows a remote attacker to upload and download outside of the FTP path. The issue is due to the program not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the DIR, PUT and GET commands.

- 时间线

2004-10-07 2004-10-06
2004-10-07 Unknow

- 解决方案

Upgrade to version 1.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

TriDComm Built-in FTP Server Directory Traversal Vulnerability
Input Validation Error 11343
Yes No
2004-10-06 12:00:00 2009-07-12 07:06:00
Luigi Auriemma <> disclosed this vulnerability.

- 受影响的程序版本

Lajos Kelemen TriDComm 1.3
Lajos Kelemen TriDComm 1.2

- 漏洞讨论

It is reported that TriDComm is susceptible to a directory traversal vulnerability in its built-in FTP server. The FTP server is not enabled by default.

This vulnerability allows attackers to write, or access files contained outside of the configured document root of the affected FTP server with the privileges of the affected process. This may allow them to overwrite critical files, resulting in denial of service conditions, or assist them in full system compromise. They may also retrieve the contents of potentially sensitive files, aiding them in further attacks.

This vulnerability is reported to exist in versions 1.2 and 1.3 of the package.

- 漏洞利用

An exploit is not required.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 相关参考