FTP Directory Access Permission Check

漏洞信息

漏洞名称: FTP Directory Access Permission Check

漏洞类型: 权限绕过

漏洞等级: 中危

漏洞描述: 该漏洞涉及FTP服务的目录访问权限配置问题。FTP(文件传输协议)服务广泛用于文件的上传和下载,是企业内部和互联网上常见的服务之一。当FTP服务的家目录权限配置不当,特别是当“Everyone”组被包含在访问权限中时,可能导致未授权用户能够查看、修改或篡改FTP文件。这种配置问题源于对目录权限管理的不严格,没有正确限制访问权限,从而留下了安全隐患。此漏洞的影响包括信息泄露、文件篡改或未授权的更改,严重时可能影响到服务的正常运行和数据的安全性。由于此漏洞不需要认证即可利用,因此风险较高,需要及时修复以防止潜在的安全威胁。

产品名称: FTP服务

来源: https://github.com/projectdiscovery/nuclei-templates/blob/b740ee6791c0a6d36cac233d23a096ba91d2f060/code%2Fwindows%2Faudit%2Fkisa%2Fftp-directory-permission-check.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

id: ftp-directory-permission-check

info:
  name: FTP Directory Access Permission Check
  author: nukunga[SungHyunJeon]
  severity: medium
  description: |
    Ensure that the FTP home directory does not include the "Everyone" group in its access permissions. Granting access to this group may allow unauthorized users to view, modify, or tamper with FTP files.
  impact: |
    Assigning access to the "Everyone" group for the FTP home directory can result in information exposure, file tampering, or unauthorized changes.
  remediation: |
    Remove the "Everyone" group from FTP home directory permissions using the following methods:
    - IIS Manager: Review and adjust the FTP site's home directory settings.
    - File Explorer: Right-click the directory, select "Properties" → go to the "Security" tab, and remove the "Everyone" group.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
  tags: ftp,iis,security,windows,code,windows-audit,kisa

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      # Define the FTP home directory path (adjust if necessary)
      $ftpHome = "C:\inetpub\ftproot"
      if (!(Test-Path $ftpHome)) {
          "FTP_HOME_DIRECTORY_NOT_FOUND"
          exit
      }
      # Retrieve the ACL for the FTP home directory
      $acl = Get-Acl $ftpHome
      $vulnerable = $false
      foreach ($ace in $acl.Access) {
          if ($ace.IdentityReference.ToString() -like "*Everyone*") {
              $vulnerable = $true
              break
          }
      }
      if ($vulnerable) {
          "FTP_HOME_DIRECTORY_EVERYONE_FOUND"
      } else {
          "FTP_HOME_DIRECTORY_NO_EVERYONE"
      }

    matchers:
      - type: word
        words:
          - "FTP_HOME_DIRECTORY_EVERYONE_FOUND"

Github Poc
#projectdiscovery/nuclei-templates:github issues #权限绕过
FTP Directory Access Permission Check
http://example.com/2025/07/10/github_2988092094/
作者
lianccc
发布于
2025年7月10日
许可协议