[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FDclone-users:00788] Directory Traversal in FDclone

Subject: [FDclone-users:00788] Directory Traversal in FDclone
From: Takashi SHIRAI <shirai@unixusers.net>
Date: Tue, 17 Jun 2008 00:57:07 +0900

$B!!$7$i$$$G$9!#(B
(B
$B!!@hF|Mh$A$g$C$H5$$K3]$+$C$F$$$kLdBj$,$"$C$F@.9T$-$r8+u67$KL@$k$$?M(B
$B$,$$$?$i65$($F2<$5$$!#(B
(B
(B
$B!!(Bdirectory traversal $B$H8F$P$l$k(B security $B967b$,$"$j$^$9!#Aj(B
$BBP(B path $BI=5-$G!V(B../$B!W$rMQ$$$k$3$H$G!"0U?^$7$J$$(B directory $B$K(B
(Bfile $B$r:n@.$5$;$k$h$&$J967bK!$G$9!#(B
$B!!(BFDclone $B$G$b!"0JA0!V(B../../../../etc/passwd$B!W$N$h$&$J(B file
$B$r4^$`(B archive $B$NCf?H$r;2>H$7$h$&$H$9$k$H!"(BTMPDIR $B$N;XDj$r1[(B
$B$($F(B /etc $B0J2<$,=q49$($i$l$F$7$^$&$H$$$&;XE&$,$"$j$^$7$?!#(B
$B!!$3$N;~$O!"$=$l$O(B tar $B$d(B lha $BEy$N30It(B command $B$NLdBj$G$"$C(B
$B$F!"(BFDclone $BB&$G$O$I$&$7$h$&$b$J$$$H$$$&7kO@$K;j$C$F$$$k$H;W(B
$B$$$^$9!#(B
(B
$B!!:G6a(B directory traversal $B$GAd6L$K5s$2$i$l$?%=%U%H$K(B FFFTP
$B$H$$$&(B Windows $B$N(B FTP client $B$,$"$j$^$9!#(B
$B!!0-0U$"$k(B FTP site $B$,!V(B../$B!W$r4^$`(B filename $B$rJV$7$?:]$K!"(B
(BFFFTP $B$O(B download $B@h$K;XDj$7$?(B direcroty $B$G$O$J$/!"!V(B../$B!W$G(B
$BAjBP(B path $B$H$7$F;XDj$5$l$?(B directory $B$K(B download $B$7$^$9!#(B
$B!!$3$N>\:Y$O2<5-(B URL $B$G;2>H=PMh$k$N$G!"6=L#$N$"$kJ}$OFI$s$G(B
$B$_$F2<$5$$!#(B
(B	http://vuln.sg/FFFTP196b-jp.html
(B
$B!!(BFTP $B$N(B LIST command $B$,JV$9(B filename $B$O(B path delimiter $B$r4^(B
$B$^$J$$$H$$$&A0Ds$G(B program $B$rAH$s$G$$$k$H$$$&E@$G$O!"(BFDclone
$B$bF1$8$G$9!#(B
$B!!$H$$$&$3$H$G(B FDclone $B$bF1$8$h$&$J@He5-Js9p(B site $B$K$O8!>ZMQ$N(B exploit $B$,CV$$$F$"$C$?$i$7$$$N(B
$B$G$9$,!";d$,8+$?;~$K$O4{$K:o=|$5$l$F$7$^$C$F$$$?$N$G!"%F%9%H(B
$B$7$F$_$k$3$H$b=PMh$J$$$s$G$9$M!#(B
(B
$B!!BP=h$H$7$F$O!"(BURL drive $B$K(B access $B$7$?>l9g$O!V(B/$B!W$r4^$`$h(B
$B$&$J(B filename $B$OL5;k$9$k$h$&$K$7$h$&$H9M$($F$$$F!"0l1~$=$&$$(B
$B$&(B code $B$O=q$$$F$_$^$7$?!#(B
$B!!(BFTP $B$N(B LIST command $B$K$7$m(B Apache $B$N(B mod_autoindex $B$K$7$m!"(B
(Bfilename $B$H$7$F!V(B/$B!W$r4^$`J8;zNs$r=PNO$7$J$$H&$J$N$G!"$=$&$$(B
$B$&(B filename $B$rCF$$$F$bDL>o$OZ=PMh$l$PBg>fIW$J$N(B
$B$G$9$,!"$I$3$+$K$=$&$$$&(B exploit $B$r;E9~$s$@(B FTP/HTTP server
$B$O$"$j$^$;$s$+$M!)(B
(B
(B                                               $B$7$i$$(B $B$?$+$7(B

Follow-Ups:
- [FDclone-users:00789] Re: Directory Traversal in FDclone
  - From: Takashi SHIRAI <shirai@unixusers.net>

Prev by Date: [FDclone-users:00787] Re: Re: [FDclone-users:00785] Re: FDclone 3.00 $B$N(B alias $B$K$D$$$F(B
Next by Date: [FDclone-users:00789] Re: Directory Traversal in FDclone
Previous by thread: [FDclone-users:00784] FDclone 3.00 $B$N(B alias $B$K$D$$(B$B$F(B
Next by thread: [FDclone-users:00789] Re: Directory Traversal in FDclone
Index(es):
- Date
- Thread