Titan FTP Server 2019 Build 3505 Directory Traversal

Credit: Kevin Randall
Risk: Medium
Local: No
Remote: Yes

********************************************************************** Discovered By: Kevin Randall on 3/23/2019 ********************************************************************** A Directory Traversal issue was discovered in the Web GUI in Titan FTP Server 2019 Build 3505. When an authenticated user attempts to preview an uploaded file (through PreviewHandler.ashx) by using a \..\..\ technique, arbitrary files can be loaded in the server response outside the root directory. *********************************************************************** Tools used: Parrot OS Windows 7 32 Bit BurpSuite Browser ************************************************************************* Vulnerability has been fixed in the following build: Build: Titan FTP Server 2019 Build 3515 ************************************************************************** Proof of Concept (PoC): Step 1: Authenticate through Titan FTP Web GUI Step 2: Upload file and attempt to view it Step 3: Intercept requests with BurpSuite when attempting to view uploaded file Step 4: Modify "path=" and "filename=" parameters in the following GET request: Ex: View contents of README.txt file in Python27 directory: Note: You can access other files in directories such as System32, Desktop etc. Payload: ***************************************************************************************** GET /PreviewHandler.ashx?path=\..\..\..\..\Python27\README.txt&filename=README.txt ***************************************************************************************** Step 5: If path is set-up correctly and if file exists, you will receive a 200 OK back from the server. Step 6: View the file through the file preview in the FTP server. ************************************************************************************************** ************************************************************************************************** Timeline: Date Discovered: 3/23/2019 Date Disclosed to Vendor: 3/23/2019 CVE Obtained: 3/24/2019 Vendor Created Patched Version Titan FTP Version 2019 Build 3515: 3/25/2019 Vendor Created Entry in Jira System for issue (SVR-499): 3/25/2019 Date Disclosed: 3/26/2019 **************************************************************************************************

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com


Back to Top