Nexpose Vulnerability Database
Multiple vendor WU-FTPD filename globbing corruption
Severity |
CVSS |
Published |
Added |
Modified |
|---|---|---|---|---|
| Severe (7) | 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Nov 30, 2001 | Nov 1, 2004 | Sep 16, 2010 |
Description:
Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained by Washington University.
Wu-Ftpd allows for clients to organize files for ftp actions based on "file globbing" patterns. File globbing is also used by various shells. The implementation of file globbing included in Wu-Ftpd contains a heap corruption vulnerability that may allow for an attacker to execute arbitrary code on a server remotely.
This vulnerability was initially scheduled for public release on December 3, 2001. However, Red Hat has made details public as of November 27, 2001. As a result, we are forced to warn other users of the vulnerable product, so that they may take appropriate actions.
References:
- BID: http://www.securityfocus.com/bid/3581
- CERT-VN: http://www.kb.cert.org/vuls/id/886083
- CERT: http://www.cert.org/advisories/CA-2001-33.html
- CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0550
- MANDRAKE: http://www.mandriva.com/security/advisories?name=MDKSA-2001:090
- SANS-02: http://www.sans.org/top20/2002/#u5
- URL: http://www.caldera.com/support/security/advisories/CSSA-2001-041.0.txt
- URL: http://www.kb.cert.org/vuls/id/886083
- URL: http://www.redhat.com/support/errata/RHSA-2001-157.html
Solution:
Upgrade to wu-ftpd v2.6.2
Download and apply the upgrade from: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.2.tar.gz
Information on these pages is summary information extracted from the Nexpose Vulnerabilty Assessment system. Full details are provided within the Nexpose product for licensed users.
