jftpgw syslog() Logging Format String

2004-05-30T10:59:38
ID OSVDB:6492
Type osvdb
Reporter Jaguar (jaguar@felinemenace.org )
Modified 2004-05-30T10:59:38

Description

Vulnerability Description

The jftpgw proxy server contains a flaw that may allow an attacker to execute arbitrary commands with the privileges of the server process. The issue is caused by an error in the logging functionality of the server where user supplied data is passed as a format string directly to a syslog() function call.

Solution Description

Upgrade to version 0.13.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

The jftpgw proxy server contains a flaw that may allow an attacker to execute arbitrary commands with the privileges of the server process. The issue is caused by an error in the logging functionality of the server where user supplied data is passed as a format string directly to a syslog() function call.

References:

Vendor URL: http://www.mcknight.de/jftpgw/ Vendor Specific Advisory URL Secunia Advisory ID:11732 Secunia Advisory ID:11733 Other Advisory URL: http://www.mcknight.de/jftpgw/ChangeLog Other Advisory URL: http://felinemenace.org/~jaguar/advisories/jftpgw.txt CVE-2004-0448 Bugtraq ID: 10438