Subscribe via feed.

ABB IDAL FTP Server Path Traversal

Posted by deepcore on June 25, 2019 – 2:00 pm

The IDAL FTP server fails to ensure that directory change requests do not change to locations outside of the FTP servers root directory. An authenticated attacker can simply traverse outside the server root directory by changing the directory with “cd ..”. An authenticated attacker can traverse to arbitrary directories on the hard disk and then use the FTP server functionality to download and upload files. An unauthenticated attacker can take advantage of the hardcoded or default credential pair exor/exor to become an authenticated attacker.


This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.