LowProventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Network MFS, BlackICE Agent for Server, RealSecure Guard, RealSecure Sentry, BlackICE Server Protection, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware:
This signature detects access to any file with a type of '.lnk' during an FTP session.
Proventia Network IPS, Proventia Server IPS for Linux technology, Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Network MFS, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware: This event triggers on the request for a *.LNK file, not the actual contents of the file retrieved. Any file an extension of *.lnk will trigger this event.
Low
Proventia Network IPS: 2.0, RealSecure Desktop Protector 3.6: baseline, RealSecure Desktop: baseline, Proventia Server IPS for Linux technology: 1.0, Proventia Desktop: 8.0.614.1, Proventia Network IDS: A Series, Proventia-G 1.1 and earlier: G Series, IBM Security Server Protection for Windows: 1.0.914.0, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network MFS: 1.0, BlackICE Agent for Server: 3.6, RealSecure Guard: 3.6, RealSecure Sentry: 3.6, BlackICE Server Protection: 3.6.cbd, BlackICE PC Protection: 3.6.cbd, RealSecure Network: 7.0, RealSecure Server Sensor: 7.0, RealSecure Desktop Protector: 3.6, Virtual Server Protection for Vmware: 1.0
Texas Imperial Software WFTPD: 3.00 R5, ArGoSoft ArGoSoft FTP Server: 1.2.2.2, TransSoft Broker FTP Server: 5.x
Unauthorized Access Attempt
ArGoSoft FTP Server, Transsoft Broker FTP Server, and WFTPD could allow a remote attacker to traverse directories on the Web server. A remote attacker can upload a '.lnk' file which points to any file or directory to traverse directories and gain access to any file in the directory containing the link.
For WFTPD (all versions):
Upgrade to WFTPD (3.10 R1 or later) or (Pro 3.10 R1 or later), available from Texas Imperial Softwares Web site. See References.
For other distributions:
Contact your vendor for patch or upgrade information.
BugTraq Mailing List, Sun Jul 01 2001 - 11:30:35 CDT
ArGoSoft 1.2.2.2 *.lnk upload Directory Traversal
http://archives.neohapsis.com/archives/bugtraq/2001-07/0015.html
ArGoSoft Web site
ArGoSoft FTP Server
http://www.argosoft.com/applications/ftpserver/default.asp
BugTraq Mailing List, Sun Jul 01 2001 - 11:11:42 CDT
Broker 5.9.5.0 Directory Traversal
http://archives.neohapsis.com/archives/bugtraq/2001-07/0014.html
BugTraq Mailing List, Sun Jul 01 2001 - 08:25:44 CDT
WFTPD v3.00 R5 Directory Traversal
http://archives.neohapsis.com/archives/bugtraq/2001-07/0013.html
Texas Imperial Software Web site
Index of /downloads
http://www.wftpd.com/downloads/
ISS X-Force
Multiple FTP server ".lnk" directory traversal
http://www.iss.net/security_center/static/6760.php
CVE
CVE-2001-1042
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1042