NeXpose Vulnerability Database
WFTPD LIST/NLST/STAT Command Buffer Overflow
Severity |
CVSS |
Published |
Added |
Modified |
|---|---|---|---|---|
| Critical (9) | 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) | Mar 1, 2004 | Jan 26, 2007 | Mar 17, 2009 |
Description:
Texas Imperial Software's WFTPD FTP Server for Windows is vulnerable to a buffer overflow whereby an attacker could execute arbitrary code under the context of the user running the software by issuing a LIST, NLST, or STAT command with a "-" character followed by an overly long string and a space.References:
- CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0340
- CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0341
- CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0342
- OSVDB: http://www.osvdb.org/displayvuln.php?osvdb_id=4115
- OSVDB: http://www.osvdb.org/displayvuln.php?osvdb_id=4116
- SECUNIA: http://secunia.com/advisories/11001/
- URL: http://marc.theaimsgroup.com/?l=bugtraq&m=107801142924976&w=2
- URL: http://marc.theaimsgroup.com/?l=bugtraq&m=107801208004699&w=2
- URL: http://www.securityfocus.com/bid/9767
- URL: http://xforce.iss.net/xforce/xfdb/15340
- URL: http://xforce.iss.net/xforce/xfdb/15341
- URL: http://xforce.iss.net/xforce/xfdb/15342
Solution:
Upgrade to the latest version of WFTPD
Download and apply the upgrade from: http://www.wftpd.com/downloads/wftpd325.zip
Upgrade to the latest version of WFTPD for your platform. The latest stable release is WFTPD version 3.25, released on Nov 30, 2006. See the WFTPD website for more information on the latest release, including upgrade instructions.
Information on these pages is summary information extracted from the NeXpose Vulnerabilty Assessment system. Full details are provided within the NeXpose product for licensed users.
