gFTP Logging Facility Remote Format String

2001-04-17T00:00:00
ID OSVDB:1805
Type osvdb
Reporter SRTeam()
Modified 2001-04-17T00:00:00

Description

Vulnerability Description

gFTP contains a flaw that may allow a remote attacker to execute arbitrary code on a gftp user's system. The issue is triggered when an untrusted value is passed to a printf() function in the facility used by its client program to log FTP and HTTP responses. It is possible that the flaw may allow a remote attacker using a remote FTP server to execute arbitrary code on a gftp user's system resulting in a loss of integrity.

Solution Description

Upgrade to version 2.0.8pre1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

gFTP contains a flaw that may allow a remote attacker to execute arbitrary code on a gftp user's system. The issue is triggered when an untrusted value is passed to a printf() function in the facility used by its client program to log FTP and HTTP responses. It is possible that the flaw may allow a remote attacker using a remote FTP server to execute arbitrary code on a gftp user's system resulting in a loss of integrity.

References:

Vendor URL: http://gftp.seul.org/ Vendor URL: http://www.gftp.org/ Vendor Specific News/Changelog Entry: http://www.gftp.org/changelog.html Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1001443 ISS X-Force ID: 6478 CVE-2001-0489 Bugtraq ID: 2657