Titan FTP Server 2019 Build 3505 Directory Traversal
Titan FTP Server 2019 build 3505 suffers from a directory traversal vulnerability.
a7872face8bf62f7e150c91b6ba6313a**********************************************************************
Discovered By: Kevin Randall on 3/23/2019
**********************************************************************
A Directory Traversal issue was discovered in the Web GUI in Titan FTP
Server 2019 Build 3505.
When an authenticated user attempts to preview an uploaded file (through
PreviewHandler.ashx) by using a .... technique, arbitrary files can
be loaded in the server response outside the root directory.
***********************************************************************
Tools used:Parrot OS
Windows 7 32 Bit
BurpSuite
Browser
*************************************************************************
Vulnerability has been fixed in the following build:
Build: Titan FTP Server 2019 Build 3515
**************************************************************************
Proof of Concept (PoC):
Step 1: Authenticate through Titan FTP Web GUI
Step 2: Upload file and attempt to view it
Step 3: Intercept requests with BurpSuite when attempting to view uploaded
file
Step 4: Modify "path=" and "filename=" parameters in the following GET
request:
Ex: View contents of README.txt file in Python27 directory:
Note: You can access other files in directories such as System32, Desktop
etc.
Payload:
*****************************************************************************************
GET
/PreviewHandler.ashx?path=........Python27README.txt&filename=README.txt
*****************************************************************************************
Step 5: If path is set-up correctly and if file exists, you will receive a
200 OK back from the server.
Step 6: View the file through the file preview in the FTP server.
**************************************************************************************************
**************************************************************************************************
Timeline:
Date Discovered: 3/23/2019
Date Disclosed to Vendor: 3/23/2019
CVE Obtained: 3/24/2019
Vendor Created Patched Version Titan FTP Version 2019 Build 3515: 3/25/2019
Vendor Created Entry in Jira System for issue (SVR-499): 3/25/2019
Date Disclosed: 3/26/2019
**************************************************************************************************
(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "http://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.8&appId=409115965821184";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
Gloss