ColoradoFTP Server Directory Traversal Vulnerability Allowing Arbitrary File Access

A directory traversal vulnerability has been identified in ColoradoFTP Server versions through 1.3 Build 8 for Windows. This vulnerability allows unauthenticated attackers to read or write arbitrary files outside the designated FTP root directory. The issue arises from inadequate sanitization of user-supplied file paths in the FTP GET and PUT command handlers. Exploitation can be achieved by sending traversal sequences during FTP operations, granting access to sensitive system files. This vulnerability is exclusive to the Windows version of ColoradoFTP.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the file system, allowing attackers to read or write files outside the FTP root directory. This could include sensitive system files, depending on the traversal path used.

Reproduction

The vulnerability can be reproduced by uploading or downloading files using the FTP PUT or GET commands, respectively. When specifying the file path, include directory traversal sequences that begin with a backslash, such as '\..\', to navigate outside the user's home directory. This traversal can be used to access arbitrary locations on the file system, such as the Windows system directory.

Remediation

Users are advised to upgrade to ColoradoFTP Prime Edition Build 9, which addresses this vulnerability. The updated version can be downloaded from the ColoradoFTP website.