Ability Server vulnerable to buffer overflow

ID VU:857846
Type cert
Reporter CERT
Modified 2004-12-22T00:00:00



A buffer overflow in the Ability Server may allow remote authenticated attackers to execute arbitrary code.


A lack of input validation in Ability Server's FTP STOR command may allow a buffer overflow to occur. A remote authenticated attacker may be able to exploit this vulnerability by supplying the Ability Server with a specially crafted FTP STOR command.

According to reports, Ability Server versions 2.34, 2.25. and 2.32 are vulnerable. However, other versions may also be affected.


A remote authenticated attacker may be able to execute arbitrary code with the privileges of the Ability Server process or cause a denial-of-service condition.


We are currently unaware of a practical solution to this problem.

Block or Restrict Access

Block or restrict access to the Ability Server from untrusted hosts.


The Ability Server has been discontinued. Ability Server users are encouraged to upgrade to the Ability FTP Server to correct this issue.

Systems Affected

Vendor| Status| Date Notified| Date Updated
Code-Crafters| | 17 Dec 2004| 22 Dec 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A


  • <http://securitytracker.com/alerts/2004/Oct/1011858.html>
  • <http://securityfocus.com/bid/11508/>
  • <http://www.osvdb.org/11030>


This vulnerability was publicly reported in a Security Tracker Advisory.

Security Tracker credits K-Otik with providing information regarding this issue.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: Unknown
  • Date Public: 21 Oct 2004
  • Date First Published: 22 Dec 2004
  • Date Last Updated: 22 Dec 2004
  • Severity Metric: 12.94
  • Document Revision: 69