Title: BisonFTP BDL File Upload Directory Traversal Vulnerability
Severity: HIGH
Description:
BisonFTP is a commercial application designed to run on Windows Operating Systems. BisonFTP offers an add-on ftp daemon to Windows 9x, NT4, Me and 2000 systems.
A problem with BisonFTP makes it possible for local users to escape their home directory, and traverse the root directory that houses their home directory.
The daemon allows users to upload Microsoft .bdl files. .bdl files are the extension used to link directories to a file. By uploading a custom crafted .bdl file, it's possible for a user of the package to escape their home directory, and to the root directory of the drive.
Upon escaping the ftp root, a local user may traverse the entire file system with the same privileges as inherited in their home directory.
Affected Products:
- BisonFTP Bison Ftp Server 0.0.0V4R1
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
