#VU35857 Path traversal in Titan FTP Server
Vulnerability identifier: #VU35857
Vulnerability risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-22
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Titan FTP Server
Server applications /
Other server solutions
Vendor: South River Technologies
Description
The vulnerability allows a remote authenticated user to gain access to sensitive information.
A Directory Traversal issue was discovered in the Web GUI in Titan FTP Server 2019 Build 3505. When an authenticated user attempts to preview an uploaded file (through PreviewHandler.ashx) by using a .... technique, arbitrary files can be loaded in the server response outside the root directory.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Titan FTP Server: 2019
External links
http://packetstormsecurity.com/files/152244/Titan-FTP-Server-2019-Build-3505-Directory-Traversal.html
http://seclists.org/fulldisclosure/2019/Mar/47
http://www.southrivertech.com/software/regsoft/titanftp/v19/verhist_en.html
http://seclists.org/fulldisclosure/2019/Mar/47
http://www.exploit-db.com/exploits/46611
http://www.exploit-db.com/exploits/46611/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
