Haxx curl and libcurl denial of service vulnerabilities

Haxx curl and libcurl are both products of the Swedish company Haxx. curl is a set of file transfer tools that utilize URL syntax to work at the command line. libcurl is a free, open source client-side URL transfer library. A denial of service vulnerability exists in the FTP wildcard function in...

DEBIAN-CVE-2017-8817

The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service out-of-bounds read and application crash or possibly have unspecified other impact via a string that ends with an '' character...

FTP wildcard out of bounds read

libcurl contains a read out of bounds flaw in the FTP wildcard function. libcurl's FTP wildcard matching feature, which is enabled with the CURLOPTWILDCARDMATCH option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect t...

UBUNTU-CVE-2017-8817

The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service out-of-bounds read and application crash or possibly have unspecified other impact via a string that ends with an '' character...

OpenJDK: no default network operations timeouts in FtpClient (Networking, 8181612)

It was found that the FtpClient implementation in the Networking component of OpenJDK did not set connect and read timeouts by default. A malicious FTP server or a man-in-the-middle attacker could use this flaw to block execution of a Java application connecting to an FTP server...

WSC2 - A WebSocket C2 Tool

WSC2 is a PoC of using the WebSockets and a browser process to serve as a C2 communication channel between an agent, running on the target system, and a controller acting as the actuel C2 server. Background information Check this blog post to get some context and insight on the developpment of th...

CVE-2017-16566

On Jooan IP Camera A5 2.3.36 devices, an insecure FTP server does not require authentication, which allows remote attackers to read or replace core system files including those used for authentication such as passwd and shadow. This can be abused to take full root level control of the device...

CVE-2017-15269

The PSFTPd 10.0.4 Build 729 server does not prevent FTP bounce scans by default. These can be performed using "nmap -b" and allow performing scans via the FTP server...

PSFTPd Windows FTP Server Memory Misreference Vulnerability

PSFTPd is a suite of FTP server software. The software supports protocols such as FTP, FTPS and SFTP.SFTP component is one of the secure file transfer components. A memory misreference vulnerability exists in the SFTP component of PSFTPd version 10.0.4 Build 729. A remote attacker can exploit thi...

[SECURITY] Fedora 27 Update: curl-7.55.1-6.fc27

curl is a command line tool for transferring data with URL syntax, supporti ng FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, I MAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies,...

jsch: ChannelSftp path traversal vulnerability

A vulnerability was discovered in JSch that allows a malicious sftp server to force a client-side relative path traversal in jsch's implementation for recursive sftp-get. An attacker could leverage this to write files outside the client's download basedir with effective permissions of the jsch sf...

Insecure Defaults

cordova-plugin-file-transfer has insecure default. The default value for trustAllHosts is true for iOS applications. By using this flaw, attackers can easily spoof SSL servers and have them be trusted by the application...

CVE-2014-0072

ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin org.apache.cordova.file-transfer before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the...

Code injection

ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin org.apache.cordova.file-transfer before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the...

CVE-2014-0072

CVE-2014-0072 affects the Apache Cordova File-Transfer stack on iOS. The File-Transfer plugin for iOS (Cordova 2.4.0–2.9.0) and the standalone File-Transfer plugin (org.apache.cordova.file-transfer) prior to 0.4.2 default the trustAllHosts option to true, allowing remote attackers to spoof SSL se...

CVE-2014-0072

ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin org.apache.cordova.file-transfer before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the...

Ayukov NFTPD Buffer Overflow Vulnerability

Ayukov NFTPD is a file transfer protocol client. A buffer overflow vulnerability exists in Ayukov NFTPD 2.0 and earlier versions. A remote attacker can exploit this vulnerability to execute arbitrary code...

OpenJDK: no default network operations timeouts in FtpClient (Networking, 8181612)

It was found that the FtpClient implementation in the Networking component of OpenJDK did not set connect and read timeouts by default. A malicious FTP server or a man-in-the-middle attacker could use this flaw to block execution of a Java application connecting to an FTP server...

OpenJDK: no default network operations timeouts in FtpClient (Networking, 8181612)

It was found that the FtpClient implementation in the Networking component of OpenJDK did not set connect and read timeouts by default. A malicious FTP server or a man-in-the-middle attacker could use this flaw to block execution of a Java application connecting to an FTP server...

OpenJDK: no default network operations timeouts in FtpClient (Networking, 8181612)

It was found that the FtpClient implementation in the Networking component of OpenJDK did not set connect and read timeouts by default. A malicious FTP server or a man-in-the-middle attacker could use this flaw to block execution of a Java application connecting to an FTP server...