YingZhi Python Programming Language for iOS ftp .. bug & httpd arbitrary upload

["Larry W. Cashdollar" <larry0 () me com>]

Hi,

I'd like to request a CVE for these vulnerabilities I disclosed back on Sept 27 2012.

 

YingZhi Python Programming Language for iOS

Vendor: XiaoWen Huang, YingZhi Python for iOS.

Ver 1.9.

OSVDB IDs: 96719 & 96720

Product Websites
http://sosilen.blog.163.com
http://www.iphoneappstorm.com/iphone-apps/utilities/com.yingzhi.python/yingzhipython.php?id=493505744 YingZhi

Description:
Python Interpreter is a native python development application for the iPad/iPhone. It is available for iOS 4 and above.

The product is packaged with its own httpd and ftpd servers. Enabling the local daemons for development by Touching 
Computer<->This Machine starts up an httpd server and ftpd server, both daemons are bound to device IP not localhost.
Vulnerabilities:

httpd server allows upload of arbitrary files to root WWW directory.

Browsing to http://<target_ip>:8080/ presents an index page in which anyone can upload files to the web servers root 
directory.

ftp server vulnerable to ../ bug

The ftp server doesn't sanitize user input and allows remote users to read and possibly write to the devices storage.

ftp://192.168.0.24:10000/../../../../../../../private/etc/passwd

The ftp server doesn't bother authenticating users, any username/password combination will allow you in.

Larry W. Cashdollar @_larry0






















http://vapid.dhs.org/advisories/python_for_ipad.html

http://seclists.org/fulldisclosure/2012/Sep/199