wftpd241-12-2.txt

================================================================
BluePanda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC12
05/09/2000 (dd/mm/yyyy)

This email address is being protected from spambots. You need JavaScript enabled to view it.
http://bluepanda.box.sk/
================================================================

Problem: "Magic cookie" wftpd241-12-2.txt

================================================================
BluePanda Vulnerability Announcement: WFTPD/WFTPD Pro 2.41 RC12
05/09/2000 (dd/mm/yyyy)

This email address is being protected from spambots. You need JavaScript enabled to view it.
http://bluepanda.box.sk/
================================================================

Problem: "Magic cookie" %C devulges sensitive information.

Vulnerable: WFTPD/WFTPD Pro 2.41 RC12, and prior.
Immune: WFTPD/WFTPD Pro 2.41 RC13.

Vendor status: Notified. A fix has been released.

==========
Details:
==========

Use of the "magic cookie" %C reveals the full path of the current directory,
ie:

C:\>nc panda 21
220 WFTPD 2.4 service (by Texas Imperial Software) ready for new user
user anonymous
331-Anonymous user access allowed - please enter your email
331-address as the password:
331 Give me your password, please
pass
230 Logged in successfully
%C
500 Unidentified command D:\FTPROOT\