---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Learn more: http://secunia.com/network_software_inspector_2/ ---------------------------------------------------------------------- TITLE: CuteFTP Directory Download Directory Traversal Vulnerability SECUNIA ADVISORY ID: SA29760 VERIFY ADVISORY: http://secunia.com/advisories/29760/ CRITICAL: Less critical IMPACT: System access WHERE: >From remote SOFTWARE: CuteFTP Pro 8.x http://secunia.com/product/11482/ CuteFTP Home 8.x http://secunia.com/product/18804/ DESCRIPTION: Tan Chew Keong has reported a vulnerability in CuteFTP, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an input validation error when downloading directories containing files with directory traversal specifiers in the filename. This can be exploited to download files to an arbitrary location on a user's system. Successful exploitation requires that the user is tricked into connecting and downloading a directory from a malicious FTP server. The vulnerability is reported in the following versions: * CuteFTP Home Version 8.2.0 Build 02.26.2008.4 * CuteFTP Pro Version 8.2.0 Build 04.01.2008.1 Other versions may also be affected. SOLUTION: The vulnerability will reportedly be fixed in an upcoming version. PROVIDED AND/OR DISCOVERED BY: Tan Chew Keong ORIGINAL ADVISORY: http://vuln.sg/cuteftp820-en.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------