eFileGo 3.01 Multiple Vulnerabilities Severity: Critical Date of release: 31/12/2005 Product url: http://www.paqtool.com/download.html Description: A file share http server. Safely as p2p software, no client needed. You friend can download file from your computer by internet browser quickly. This software is an easy&fast-send-files software that runs under Windows 95/98/NT/ME/2000/XP. When you want to send a large file, photos, images, programs, folders and a website etc. on your computer, please try eFileGo. It can send large files that e-mail program can't do. This software can make receiver visited your computer directly. Your computer will become a server. You just click one button. It will finish. You need not to wait for an attachment being sent via an email anymore. Vulnerability Analysis: Multiple Vulnerabilities have been identified in eFileGo 3.01 that may be used by a remote attacker to succesfully compromise a remote system. (1) Directory Traversal attack & Directory Listing A directory traversal vulnerability is caused due to an input validation error making it possible to escape the user configured root folder and retrieve arbitrary files on the system via directory traversal attacks using the ".../.../" character sequence. Example: http://[host]:608/.../.../.../.../.../windows/ http://[host]:608/.../.../.../.../.../.../windows/explorer.exe (2) Remote Command Execution Using the Directory traversal attack disussed above is is possible to execute commands remotely using cmd.exe. Example: http://[host]:608/.../.../.../.../.../.../.../.../windows/system32/cmd.exe?/c+dir This command will list all the file in the /windows/system32/ folder.Be imaginative... (3) Upload.exe Denial of Service and file upload vulnerability i) A Denial of service condition have been identified in upload.exe that will make the system consume 50-60% cpu usage. The problem takes place if the file upload.exe that is used by users to upload new files to the server takes an invalid upload directory as a parametre. example: http://[host]:608/dasjf9832root/cgi-bin/upload.exe?/some_random_directory... ii) A second vulnerability exists in upload.exe that may be used by remote malicious users to upload files anywhere on the hard disk. In order for this bug to work succesfully must be combined with the directory traversal bug above. Example: LEts say that i want to put the file nc.exe into /windows folder. The first thing i have to do is to use the http://[host]/.../.../.../.../.../windows/ and then just use the upload function to upload the file to the /windows folder. Finally we will get something like this: (http://[host]:608/dasjf9832root/cgi-bin/upload.exe?/.../.../.../.../.../.../windows/) Local file "C:\test\nc.exe" is uploaded to the server successfully. ***Be carefull! if you try to access directly the /cgi-bin/upload.exe?/.../.../.../.../.../.../windows/ without having use the traversal bug first it won't work and the file nc.exe will result in the already specified folder. credit: dr_insane