vuln.sg  smartproxy megabasterd

vuln.sg Vulnerability Research Advisory

AceFTP FTP-Client Directory Traversal Vulnerability

by Tan Chew Keong
Release Date: 2008-06-27

smartproxy megabasterd   [en] [jp]

smartproxy megabasterd Summary

A vulnerability has been found within the FTP client in AceFTP. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.


smartproxy megabasterd Tested Versions


smartproxy megabasterd Details

This advisory discloses a vulnerability within the FTP client in AceFTP. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.

The FTP client does not properly sanitise filenames containing directory traversal sequences (forward-slash) that are received from an FTP server in response to the LIST command.

An example of such a response from a malicious FTP server is shown below. 


Response to LIST (forward-slash):

-rw-r--r--    1 ftp      ftp            20 Mar 01 05:37 /../../../../../../../../../testfile.txt\r\n
 

By tricking a user to download a directory from a malicious FTP server that contains files with fowward-slash directory traversal sequences in their filenames, it is possible for the attacker to write files to arbitrary locations on a user's system with privileges of that user. An attacker can potentially leverage this issue to write files into a user's Windows Startup folder and execute arbitrary code when the user logs on.


smartproxy megabasterd POC / Test Code

Please download the POC here and follow the instructions below.

Smartproxy Megabasterd Info

Smartproxy is a business tool. MegaBasterd is a relic from the "bypass era." Treat your data infrastructure with respect—invest in legitimate proxies and legal download methods. Your IP reputation, security, and legal standing will thank you. Disclaimer: This article is for educational purposes only. Bypassing bandwidth limits or terms of service may violate local and international laws. Always review the terms of service of any website or cloud provider before automating requests.

At first glance, they serve different purposes. Smartproxy is a leading enterprise-grade proxy infrastructure provider. MegaBasterd (often stylized as MegaBasterd) is a third-party download manager for the cloud storage service MEGA. So why are they constantly searched together? smartproxy megabasterd

The answer lies in a gray area of the internet: users trying to bypass download limits, automate large-scale file transfers, or scrape geo-restricted content using cracked tools. But here is the hard truth: Smartproxy is a business tool

In the world of data extraction and web scraping, two names often appear in the same breath among forum discussions, GitHub threads, and Reddit communities: Smartproxy and MegaBasterd . Disclaimer: This article is for educational purposes only


smartproxy megabasterd Patch / Workaround

Avoid downloading files/directories from untrusted FTP servers.


smartproxy megabasterd Disclosure Timeline

2008-06-15 - Vulnerability Discovered.
2008-06-16 - Vulnerability Details Sent to Vendor via online support form (no reply).
2008-06-18 - Vulnerability Details Sent to Vendor again via online support form (no reply).
2008-06-25 - Vulnerability Details Sent to Vendor again via online support form (no reply).
2008-06-27 - Public Release.


Contact
For further enquries, comments, suggestions or bug reports, simply email them to