#Greyhatting: GMV FTP’s arbitrary upload vulnerability

During Thanksgiving I came across an arbitrary upload vulnerability on space communication company GMV’s FTP system wherein anyone can upload any files they want.

The problem is with the impending likelihood of Article 13 getting passed these exposed FTP may inadvertently leaves them vulnerable to the clutches of liability. Not to mention that online predators will misuse that to surreptitiously transmit or store CP images.

Therefore I chose to inform GMV with both email and contact form about this issue and they acted beautifully swift to patch the hole by taking down the “Anonymous upload” and “Anonymous download” buttons and restricted those functions to authorized users only.

Unfortunately as it was a Thanksgiving time I was too lazy to take more screenshots but here they are.







Here is my email to the GMV staff pertinent to this hole.

May the force be with you.