-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-057
Product: PonVFTP
Vendor: Pongles
Affected Version(s): 0.8 and below
Tested Version(s): 0.8
Vulnerability Type: Path Traversal (CWE-22)
Risk Level: High
Solution Status: Fixed
Vendor Notification: 2016-06-10
Solution Date: 2016-09-21
Public Disclosure: 2016-09-22
CVE Reference: Not assigned
Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

It was discovered that the PonVFTP contains a Path Traversal
vulnerability which can result in Arbitrary Code Execution by
authenticated users.

The PonVFTP application is described as follows [2]:

"PonVFTP is targeted at people who need a fully-featured web solution
for file management. It was designed from the onset to be lightweight,
easy to use and quick to setup. The solution is built around a multi-
user system (including anonymous access support). Each user can have
their own permission level and home directory."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The web application sanitizes the path parameter for file up- and
download by replacing the sequence ../ by an empty string. This way, the
sequence ..././ is replaced by ../ which can still be used for Path
Traversal.

By abusing this vulnerability, it is possible to download arbitrary
files. Furthermore, if the location of the webroot is known, it is
possible to upload files directly into the webroot which results in an
Arbitrary Code Execution weakness.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

On a linux system, the following link can be used by an authenticated
user to download the file /etc/passwd:

http://www.example.com/index.php?mod=download&path=..././..././..././..././..././..././..././..././..././etc/&file=passwd

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Upgrade to version 0.9 or later.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-05-06: Vulnerability discovered
2016-06-10: Vulnerability reported to vendor
2016-07-18: Sent reminder as vendor did not reply
2016-08-22: Sent reminder as vendor did not reply
2016-08-31: Vendor proposes alternative release schedule
2016-09-21: Public release of fixed ersion
2016-09-22: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] SySS GmbH, SYSS-2016-057
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-057.txt
[2] Vendor description of PonVFTP
    http://www.pongles.com/index.php?p=code&id=2
[3] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Franz G. Jahn of the SySS GmbH.

E-Mail: franz.jahn (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc
Key ID: 0xD06A14DE
Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJX4AcLAAoJENWmFJbQahTe0vIP/3WubocUfHFXnpOqSkQOcE5C
g3mRIIK2QKBU5XPEBjtZcMe/JWxT253eDdr2MVXfunz9YJmHXX8tveSYauAO0I6K
ZuqQyKxWNP2IF4YPD2MeLG55qKRoKRMCcSvIZ9QxlOONVzb9aybHEvq1psK9sfWP
eN/4FIcVLYFJvTRM+cyVm80RMMepkIi2nqHU62sWHoxNh6QB+50H222DLQBtWn0d
XEUE8ufSCxy/pr/RE6vU0YTvoExfgtu6z22ubtYnfgbEoLS6kcHv5nFN1dVemfTi
r+NSWP045ZymN5visf9ioJGYPeJYIRr04LvJK3Cel5dZoHcOSY/Ua2R/06u8Yk9C
ShMiqB34NxZKgAiP9+OzdyILpZ8Ysak8vH1/yUlpTZjkp5W4YinZ+qbYSiOOHT1U
EV0UbfuTLwTXXHj4iJp/oFga8pxxIORfVIjLesssH7F3Zytph2+OwfhzqM2CaYBb
7L61AcvsBSstcXA4fEIw7/evYrqw5g9HeY89bQ7lUuL2YpY4zF/2oV031gmEGHHk
gsS7Ly9P3IJH1vX/253r+oyl3OX7wgJEE6NF4KWkjXF90okDL3+VLj49oVhDXMLk
ebVMtbGsgFJHrgcEjwEG2YM0wjCD9fkVhDJrz9znK5mQboqwG+UVo0K/jUtxzOO2
Y8d4TvHcXWF+rlufZ6Zo
=HU0u
-----END PGP SIGNATURE-----