Select local site

F-Secure Vulnerability Information :
IBM AIX ftpd "quote cwd" Full Path Disclosure Weakness
[Summary] | [Detailed Description] | [Solution] | [CVE Reference]

Report ID:SA30360
Source:Secunia
Date of Discovery:22.05.2008
Criticality:Negligible
Affects:

AIX 5.x
AIX 6.x
Compromise From:From remote
Compromise Type:Exposure of system information
Summary

A weakness has been reported in IBM AIX, which can be exploited by malicious people to disclose system information.
Back to the Top

Detailed Description

A weakness has been reported in IBM AIX, which can be exploited by malicious people to disclose system information.

The problem is that it is possible to disclose the full path of the home directory of the anonymous ftp user via a "quote cwd" command on an ftpd server with anonymous login enabled.

The weakness is reported in versions 5.2, 5.3, and 6.1.
Back to the Top

Solution

Apply fixes or APARs as soon as they become available.
http://aix.software.ibm.com/aix/efixes/security/ftpd_fix.tar
ftp://aix.software.ibm.com/aix/efixes/security/ftpd_fix.tar

-- APARS --

AIX 5.2.0:
IZ18670 (available approximately 20/6/2008)

AIX 5.3.0:
IZ22357 (available approximately 20/6/2008)

AIX 5.3.7:
IZ22358 (available approximately 20/6/2008)

AIX 5.3.8:
IZ21529 (available approximately 20/6/2008)

AIX 6.1.0:
IZ22356 (available approximately 20/6/2008)
Back to the Top

CVE Reference
CVE-1999-0201
Back to the Top

F-Secure Corporation