WFTPD Error Message Server Path Disclosure

2000-09-05T00:00:00
ID OSVDB:5829
Type osvdb
Reporter OSVDB
Modified 2000-09-05T00:00:00

Description

Vulnerability Description

WFTPD and WFTPD Pro contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious user types %C during a remote ftp session, which returns an error message disclosing the physical path of the directory resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.41 RC13 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

WFTPD and WFTPD Pro contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious user types %C during a remote ftp session, which returns an error message disclosing the physical path of the directory resulting in a loss of confidentiality.

References:

Vendor URL: http://www.wftpd.com/downloads.htm Vendor URL: http://www.wftpd.com/support.htm ISS X-Force ID: 5196 CVE-2000-0876