Fastream NETFile Server mkdir file upload
| fastream-mkdir-file-upload (16613) |  Medium Risk |
Description:
Fastream NETFile Server could allow a remote attacker to upload malicious files to the system. By sending a specially-crafted HTTP request that uses the mkdir command and contains double slash (//) characters, a remote attacker could create and overwrite files on the system outside of the root directory.
Consequences:
File Manipulation
Remedy:
Upgrade to the latest version of Fastream NETFile Server (6.7.3 or later), available from the Fastream NETFile Server Web site. See References.
References:
- BugTraq Mailing List, Sun Jul 04 2004 - 08:37:27 CDT : Fastream NETFile FTP/Web Server Input validation Errors.
- Fastream NETFile Server Web site: NETFile FTP/HTTP Server - Fastream Technologies.
- BID-10658: Fastream NetFile FTP/Web Server Directory Traversal Vulnerability
- CVE-2004-0676: Directory traversal vulnerability in Fastream NETFile FTP/Web Server 6.7.2.1085 and earlier allows remote attackers to create or delete arbitrary files via .. (dot dot) and // (double slash) sequences in the filename parameter.
Platforms Affected:
- Fastream Fastream NETFile Server 6.7.2.1085 - prior
Reported:
Jul 04, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net