There is a race condition in context->FileName var, this buf is used as the path after normalization, but it is the same buf where the username is written in the login. When sending a read request for "hello.txt", a new thread is created to do this, sending another request "USER /etc/passwd", the context->FileName buffer is changed and allows the reading of arbitrary files.
pwn_NonHeavyFTP
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
parent directory.. | ||||