3D-FTP Multiple Directory Traversal Vulnerabilities

This script is Copyright (C) 2008-2016 Tenable Network Security, Inc.


Synopsis :

The remote host has an application that is affected by multiple
directory traversal vulnerabilities.

Description :

The remote host has the 3D-FTP FTP client installed.

The installed version of 3D-FTP is affected by multiple directory
traversal vulnerabilities. By prefixing '../' to filenames in response
to 'LIST' and 'MLSD' commands, it may be possible for an attacker to
write arbitrary files outside the client's directory, subject to the
privileges of the user. An attacker can leverage this issue to write
arbitrary files (potentially containing malicious code) to client
startup directory which would then be executed when the user logs on.
In order to successfully exploit this issue, an attacker must trick a
user into downloading a specially-named file from a malicious ftp
server.

See also :

http://vuln.sg/3dftp801-en.html
http://www.3dftp.com/3dftp_versions.htm

Solution :

Upgrade to 3D-FTP version 8.0.2 or later.

Risk factor :

High / CVSS Base Score : 7.6
(CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.6
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 33218 (3dftp_dir_traversal.nasl)

Bugtraq ID: 29749

CVE ID: CVE-2008-2822

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now