Symlink-based privilege escalation

[ax]

Hi guys, I noticed that the open() calls in LightFTP lack the O_NOFOLLOW flag, this could lead to trivial privilege escalation or total system compromise by overwriting critical files when the program runs with elevated privileges. The application follows user-controlled symbolic links during file opening, allowing local attackers to read/write arbitrary files outside of the intended control sphere. The vulnerability is exploitable through malicious symlinks. The open() calls in ftpserv.c lack O_NOFOLLOW. The attacker needs shell access to the FTP directory to create the symlinks. Additionally, the log file handling function also uses open() without O_NOFOLLOW. Here the low privileged attacker needs access to the log file path before the privileged daemon is started.