TitanFTP versions up to 1.94.1205 contain a path traversal vulnerability in the move-file function where the newPath parameter is improperly validated. An authenticated user can upload a file and then move it to any location on the server filesystem, potentially allowing arbitrary file placement and system compromise.
PoC代码[已公开]
id: CVE-2023-22629
info:
name: TitanFTP move-file Function ≤ 1.94.1205 - Path Traversal
author: pussycat0x
severity: high
description: |
TitanFTP versions up to 1.94.1205 contain a path traversal vulnerability in the move-file function where the newPath parameter is improperly validated. An authenticated user can upload a file and then move it to any location on the server filesystem, potentially allowing arbitrary file placement and system compromise.
reference:
- http://packetstormsecurity.com/files/171737/Titan-FTP-Path-Traversal.html
- https://titanftp.com
- https://www.southrivertech.com/software/nextgen/titanftp/en/relnotes.pdf
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2023-22629
cwe-id: CWE-22
epss-score: 0.81229
epss-percentile: 0.99115
cpe: cpe:2.3:a:southrivertech:titan_ftp_server:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: southrivertech
product: titan_ftp_server
shodan-query: product:"Titan ftpd"
tags: cve,cve2023,network,ftp,titan-ftp,tcp,passive,vuln
tcp:
- inputs:
- data: 00000000
type: hex
host:
- "{{Hostname}}"
port: 21
read-size: 1024
matchers:
- type: dsl
dsl:
- "contains(raw, 'TitanFTP')"
- "compare_versions(version, '<= 1.94.1205')"
condition: and
extractors:
- type: regex
group: 1
name: version
regex:
- "TitanFTP ([0-9.]+)"
# digest: 4a0a00473045022100c28806b8d18a4ac367a831de0e5ff0612c5e9c0e2f5bf6872d58bf8335edbf71022063f421fc511f99a34624a770189dfa44ecf33af211ee995320ba012791f1bcb3:922c64590222798bb761d5b6d8e72950