ArGoSoft FTP Server .lnk Shortcut Upload Issue

2004-11-01T00:00:00
ID OSVDB:11325
Type osvdb
Reporter OSVDB
Modified 2004-11-01T00:00:00

Description

Vulnerability Description

ArGoSoft FTP Server contains a flaw that may allow a malicious user to upload .lnk shortcut files. The issue is due to an unknown error in the product. It is possible that the flaw may allow the malicious user to use the uploaded .lnk shortcut files to access arbitrary files and directories outside of the FTP base path resulting in a loss of confidentiality or integrity.

Solution Description

Upgrade to version 1.4.2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

ArGoSoft FTP Server contains a flaw that may allow a malicious user to upload .lnk shortcut files. The issue is due to an unknown error in the product. It is possible that the flaw may allow the malicious user to use the uploaded .lnk shortcut files to access arbitrary files and directories outside of the FTP base path resulting in a loss of confidentiality or integrity.

References:

Vendor URL: http://www.argosoft.com/ftpserver/ Vendor Specific News/Changelog Entry: http://www.argosoft.com/ftpserver/changelist.aspx Security Tracker: 1012050 Secunia Advisory ID:13063 Related OSVDB ID: 1886 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-07/0015.html ISS X-Force ID: 6760 CVE-2001-1043 CVE-2004-2672 Bugtraq ID: 2961