Back to search

ProFTPD sreplace() stack overflow

Severity CVSS Published Added Modified
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) November 10, 2006 January 24, 2007 December 04, 2013

Available Exploits 


ProFTPD releases prior to Nov 27, 2006 are susceptible to a stack-based buffer overflow which could allow an attacker to execute arbitrary code. The vulnerability relies on the sreplace() function, which is used by ProFTPD to expand built-in tokens into meaningful strings (such as the current working directory, a user name, etc.). The most common attack vector for this vulnerability is with the DisplayFirstChdir directive, which is enabled by default in most ProFTPD installations. This directive specifies a filename (usually ".message") which is processed automatically when a user creates a directory and executes a CHDIR to it for the first time. If the file specified by the DisplayFirstChdir directive is transferred to the directory (via a PUT command), ProFTPD will read the file automatically and pass the data to the vulnerable sreplace() function.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now



  • Upgrade to the latest version of ProFTPD

    Download and apply the upgrade from:

    Upgrade to the latest version of ProFTPD for your platform.

    • The latest stable release is 1.3.2, released on Feb 5, 2009.
    • The latest candidate release is 1.3.2rc4, released on Jan 23, 2009.

    See the ProFTPD website for more information on the latest release, including upgrade instructions.

  • Remove the Display* directives from proftpd.conf

    Modify the file '/etc/proftpd/proftpd.conf' or '/usr/local/etc/proftpd.conf' and comment out all lines with the DisplayFirstChdir, DisplayChdir, DisplayConnect, DisplayGoAway, DisplayLogin, or DisplayQuit directives by appending a '#' character at the front of the line. You must restart the ProFTPD service for the changes to take effect.

Related Vulnerabilities