EFTP Multiple Command Traversal Arbitrary Directory Listing
Medium Nessus Plugin ID 10933
SynopsisThe remote FTP server is affected by an information disclosure vulnerability.
DescriptionThe version of EFTP installed on the remote host can be used to determine if a given file exists on the remote host or not, by adding dot-dot-slashes in front of them.
For instance, it is possible to determine the presence of '\autoexec.bat' by using the command SIZE or MDTM with the argument '../../../../autoexec.bat'
An attacker may leverage this flaw to gain more knowledge about this host, such as its file layout. This flaw is especially useful in combination with other vulnerabilities.
SolutionUpgrade to version 3.2 or higher, as it has been reported to fix this vulnerability.