0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Titan FTP Server 10.32 Build 1816 - Directory Traversal Vulnerability
Author
Risk
![](/img/risk/critlow_2.gif)
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
"Titan FTP Server Directory Traversal Vulnerabilities" ****************************************************************************** - Affected Vendor: South River Technologies - Affected System: Titan FTP Server software (Version 10.32 Build 1816) - Vendor Disclosure Date: January 27th, 2014 - Public Disclosure Date: February 10h, 2014 - Vulnerabilities' Status: Fixed ****************************************************************************** Associated CVEs: 1) CVE-2014-1841: It is possible to copy the complete home folder of another user by leveraging a vulnerability on the Titan FTP Server Web Interface. 2) CVE-2014-1842: It is possible to obtain the complete list of existing users by writing "/../" on the search bar. 3) CVE-2014-1843: It is possible to observe the "Properties" for an existing user home folder. This also allows for enumeration of existing users on the system. Associated CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') http://cwe.mitre.org/data/definitions/22.html ****************************************************************************** DESCRIPTIONS ============ 1) CVE-2014-1841: It is possible to copy the complete home folder of another user by leveraging a vulnerability on the Titan FTP Server Web Interface. This is done by using the "Move" function, and replacing the "src" parameter value with the "/../<folder name of another user>" value. 2) CVE-2014-1842: It is possible to obtain the complete list of existing users by writing "/../" on the search bar and hitting the "Go" button. 3) CVE-2014-1843: It is possible to observe the "Properties" for an existing user home folder. This also allows for enumeration of existing users on the system. This is done by using the "Properties" function, and replacing the "src" parameter value with the "/../<folder name of another user>" value. ****************************************************************************** - Available fix: Titan FTP Server software (Version 10.40 Build 1829): + titanftp32_10_40_1829_en.exe + titanftp64_10_40_1829_en.exe - Related Links: Deloitte Argentina - www.deloitte.com/ar - Feedback: If you have any questions, comments, concerns, updates or suggestions please contact: + Fara Rustein frustein@deloitte.com (Twitter: @fararustein) + Luciano Martins lmartins@deloitte.com (Twitter: @clucianomartins) ****************************************************************************** Credits: CVE-2014-1841: 1. It is possible to copy the complete home folder of another user by leveraging a vulnerability on the Titan FTP Server Web Interface. Discovered by Fara Rustein - frustein@deloitte.com CVE-2014-1842: 2. It is possible to obtain the complete list of existing users by writing "/../" on the search bar. Discovered by Luciano Martins - lmartins@deloitte.com CVE-2014-1843: 3. It is also possible to observe the "Properties" for an existing user home folder. This also allows for enumeration of existing users on the system. Discovered by Fara Rustein - frustein@deloitte.com # 0day.today [2024-07-02] #