[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Vulnerability in ProFTPD
- Subject: [cobalt-security] Vulnerability in ProFTPD
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Tue, 23 Sep 2003 21:28:15 +0200
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi all,
this seems to be the the week of vulnerabilities. First OpenSSH, then
Sendmail, then ModSSL and now ProFTPd. :o(
For more information about the ProFTPd issue see this URL:
http://securityfocus.com/archive/1/338687/2003-09-20/2003-09-26/0
Small sample:
Synopsis:
ISS X-Force has discovered a flaw in the ProFTPD Unix FTP server. ProFTPD
is a highly configurable FTP (File Transfer Protocol) server for Unix
that allows for per-directory access restrictions, easy configuration of
virtual FTP servers, and support for multiple authentication mechanisms.
A flaw exists in the ProFTPD component that handles incoming ASCII file
transfers.
Impact:
An attacker capable of uploading files to the vulnerable system can
trigger a buffer overflow and execute arbitrary code to gain complete
control of the system. Attackers may use this vulnerability to destroy,
steal, or manipulate data on vulnerable FTP sites.
Affected Versions:
ProFTPD 1.2.7
ProFTPD 1.2.8
ProFTPD 1.2.8rc1
ProFTPD 1.2.8rc2
ProFTPD 1.2.9rc1
ProFTPD 1.2.9rc2
Note: Versions previous to version 1.2.7 may also be vulnerable.
For the complete ISS X-Force Security Advisory, please visit:
http://xforce.iss.net/xforce/alerts/id/154
--
With best regards,
Michael Stauber