CompleteFTP path traversal flaw allowed attackers to delete server files

guest · Aug 1, 2022

Security issue fixed in version 22.1.1 of file transfer software
August 1, 2022

A security vulnerability in file transfer software CompleteFTP allowed unauthenticated attackers to delete arbitrary files on affected installations.

Developed by EnterpriseDT of Australia, CompleteFTP is a proprietary FTP and SFTP server for Windows that supports FTPS, SFTP, and HTTPS.
Click to expand...

A security researcher with the handle rgod discovered a flaw in the HttpFile class that results from the lack of proper validation of a user-supplied path prior to using it in file operations.

“This vulnerability allows remote attackers to delete arbitrary files on affected installations of EnterpriseDT CompleteFTP server,” a security advisory explains.

The issue was assigned CVE-2022-2560 and was fixed in CompleteFTP version 22.1.1.
This release includes other security enhancements in the form of SHA-2 cryptographic hash function for RSA signatures and a new format for PuTTY private keys.
Click to expand...

Log in or Sign up

CompleteFTP path traversal flaw allowed attackers to delete server files

guest Guest

Log in or Sign up

CompleteFTP path traversal flaw allowed attackers to delete server files

guest Guest

Useful Searches