Fastream NETFile Server Lets Remote Users Create or Delete Files and Directories in Arbitrary Locations
SecurityTracker Alert ID: 1013803|
SecurityTracker URL: http://securitytracker.com/id/1013803
(Links to External Site)
Date: Apr 26 2005
Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): prior to 7.5.0 Beta 7; Tested on 7.4.6 on English Win2K SP4|
Tan Chew Keong of SIG^2 Vulnerability Research reported a vulnerability in Fastream NETFile server. A remote authenticated user can upload or delete files or directories located outside of the FTP directory.|
A remote authenticated user with directory creation/removal privileges can invoke a specially crafted URL to create or delete files and directories located outside of the FTP root directory. Some demonstration exploit URLs are provided:
[Editor's note: This vulnerability was originally reported by Andres Tarasco Acuna (at4r) in July 2004 and reported to have been fixed by the vendor in version 6.7.3, as posted in Alert ID 1010642. However, the fix was not complete. A slightly different type of request can still exploit the flaw.]
The vendor was notified on April 21, 2005.
The original advisory is available at:
A remote authenticated user with file upload privileges can upload files to locations or delete files located outside of the FTP root directory.|
A remote authenticated user with directory creation/modification privileges can create or delete directories located outside of the FTP root directory.
The vendor has released a fixed version (7.5.0 Beta 7).|
Vendor URL: www.fastream.com/products.htm (Links to External Site)
Access control error, Input validation error|
Source Message Contents
Date: Mon, 25 Apr 2005 21:25:16 +0800|
Subject: [SIG^2 G-TEC] Fastream NETFile FTP/Web Server Directory Traversal
SIG^2 Vulnerability Research Advisory
Fastream NETFile FTP/Web Server Directory Traversal Vulnerability
by Tan Chew Keong
Release Date: 25 Apr 2005
Fastream NETFile FTP/Web Server
(http://www.fastream.com/netfileserver.htm) is a secure FTP server and
Web server combined together in one program. It claims to be the
"easiest to setup and administer server" on the Internet.
A directory traversal vulnerability was found in NETFile FTP's web
interface. This vulnerability may be exploited by a user with file
upload/delete privileges to upload/delete files outside the FTP root, or
by a user with directory create/remove privileges to create/remove
directories outside the FTP root.
Fastream NETFile FTP/Web Server Version 7.4.6 on English Win2K SP4.
NETFile FTP supports file upload/download and directory
creation/deletion via a Web Interface. The Web Interface has a directory
traversal vulnerability that was previously reported by Andres Tarasco
It appears that this vulnerability was not sufficiently fixed and it is
still exploitable by crafting the request in another way.
Shown below are sample requests to delete a file, to create a directory,
and to remove a directory from outside the FTP root. To exploit this
vulnerability, the user must have the appropriate FTP privileges to
delete files and to create/remove directories.
Directory traversal vulnerability also exists when the server accepts
file uploads via a POST request using the web interface. It is possible
to use directory traversal characters to cause files to be saved outside
the FTP root.
1. Upgrade to Version 7.5.0 Beta 7 and above which fixes this particular
directory traversal vulnerability.
2. Or, disable the web interface.
3. Or, allow only trusted users to upload/delete files and create/remove
17 Apr 05 - Vulnerability Discovered.
21 Apr 05 - Initial Vendor Notification.
21 Apr 05 - Initial Vendor Reply.
21 Apr 05 - Vendor Provided 7.5.0 Beta 6 for Testing.
21 Apr 05 - Informed Vendor that File-Upload Directory Traversal is not
22 Apr 05 - Vendor Provided 7.5.0 Beta 7 for Testing.
25 Apr 05 - Public Release.
All guys at SIG^2 G-TEC Lab
"IT Security...the Gathering. By enthusiasts for enthusiasts."