TYPSoft FTP Server 1.10 allows remote authenticated users to cause a denial of service (CPU consumption) via "//../" arguments to (1) mkd, (2) xmkd, (3) dele, (4) size, (5) retr, (6) stor, (7) appe, (8) rnfr, (9) rnto, (10) rmd, or (11) xrmd, as demonstrated using "//../qwerty".
TYPSoft FTP Server 1.10 is vulnerable to a denial-of-service (DoS) attack. Authenticated users can exploit a path traversal vulnerability by sending specially crafted commands, leading to excessive CPU consumption and server unavailability. This vulnerability allows attackers to disrupt service availability, impacting users and potentially leading to data loss or business disruption.
Step 1: Authentication: The attacker successfully authenticates to the TYPSoft FTP server using valid credentials.
Step 2: Payload Delivery: The attacker crafts a malicious FTP command, such as mkd //../qwerty, dele //../qwerty, or others, including the path traversal sequence "//../" followed by a payload (e.g., "qwerty").
Step 3: Command Execution: The attacker sends the crafted command to the FTP server.
Step 4: Vulnerability Trigger: The FTP server, due to insufficient input validation, attempts to process the path traversal sequence. This may lead to an infinite loop, excessive resource allocation, or other inefficient operations.
Step 5: Denial of Service: The server's CPU usage spikes, and the server becomes unresponsive, effectively denying service to legitimate users.
The vulnerability stems from insufficient input validation when handling path arguments within various FTP commands. Specifically, the server fails to properly sanitize or restrict the use of path traversal sequences like "//../" within commands such as mkd, dele, retr, and others. This allows an authenticated user to craft a request that, when processed by the server, results in an infinite loop or excessive resource allocation, leading to high CPU usage and a DoS condition. The root cause is a lack of proper input validation and sanitization of user-supplied path arguments before they are used in file system operations. The server likely attempts to process the malformed path, leading to an inefficient or resource-intensive operation.