3D-FTP Multiple Directory Traversal Vulnerabilities
High Nessus Plugin ID 33218
SynopsisThe remote host has an application that is affected by multiple directory traversal vulnerabilities.
DescriptionThe remote host has the 3D-FTP FTP client installed.
The installed version of 3D-FTP is affected by multiple directory traversal vulnerabilities. By prefixing '../' to filenames in response to 'LIST' and 'MLSD' commands, it may be possible for an attacker to write arbitrary files outside the client's directory, subject to the privileges of the user. An attacker can leverage this issue to write arbitrary files (potentially containing malicious code) to client startup directory which would then be executed when the user logs on.
In order to successfully exploit this issue, an attacker must trick a user into downloading a specially-named file from a malicious ftp server.
SolutionUpgrade to 3D-FTP version 8.0.2 or later.