vendor:
FTGate
by:
Unknown
N/A
CVSS
MEDIUM
File Stealing
22
CWE
Product Name: FTGate
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE: CVE-Unknown
CPE: a:floosietek:ftgate
Other Scripts:
https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/http/zimbra_cpio_cve_2022_41352, https://www.infosecmatter.com/nessus-plugin-library/?id=60449, https://www.infosecmatter.com/nessus-plugin-library/?id=59851, https://www.infosecmatter.com/nessus-plugin-library/?id=47617, https://www.infosecmatter.com/nessus-plugin-library/?id=156935, https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/http/zimbra_mboximport_cve_2022_27925, https://www.infosecmatter.com/nessus-plugin-library/?id=78067, https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/scanner/rdp/cve_2019_0708_bluekeep, https://www.infosecmatter.com/nessus-plugin-library/?id=136245, https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/admin/dcerpc/cve_2021_1675_printnightmare
Platforms Tested: Windows
Unknown
Vulnerability in Floosietek’s FTGate
A vulnerability in Floosietek's FTGate allows remote malicious users to steal local files. The web server fails to check whether requested files fall outside its document tree (by using '..' in the URL). Thus attackers can retrieve files in the same drives as that on which the software resides if they know or can get its filename.
Mitigation:
Implement proper input validation and sanitization to prevent directory traversal attacks. Update to the latest version of Floosietek's FTGate that addresses this vulnerability.
