Netwin Surge FTP Server does not adequately validate user input thereby allowing directory traversal

Overview

Surge FTP Server 2.0a contains a directory traversal vulnerability.

Description

Surge FTP Server 2.0a allows remote users to list files outside the FTP root directory.

---

Impact

Attackers may list files from directories to which access was not granted.

---

Solution

Upgrade to version 2.0b, available at:

<http://www.netwinsite.com/surgeftp>

---

Vendor Information

219043

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Netwin __ Affected

Notified: December 20, 2001 Updated: January 16, 2002

Status

Affected

Vendor Statement

“Surgeftp has many settings, and you can configure it to give you access to the entire filesystem with access rights of the username that you logged in with, which works great when you have it all set up correctly, unfortunately Windows isn’t configured in the best way (from fresh install) for the access rights to work correctly.”

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23219043 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/2892&gt;
• <http://netwinsite.com/surgeftp/manual/updates.htm&gt;
• <http://netwinsite.com/surgeftp/&gt;

Acknowledgements

Thanks to Sentry Research Labs for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs:	CVE-2001-0698
Severity Metric:	1.84 Date Public: