Tags: racecondition pwn lightftp ftp
Rating:
tl;dr
There is a race condition in `context->FileName` var, this buf is used as the path after normalization, but it is the same buf where the username is written in the login. When sending a read request for "hello.txt", a new thread is created to do this, sending another request "USER /etc/passwd", the `context->FileName` buffer is changed and allows the reading of arbitrary files.
