Published: 20/12/1999 Updated: 05/09/2008

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 755

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

wu-ftp with FTP conversion enabled allows an malicious user to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress.

Vulnerable Product	Search on Vulmon	Subscribe to Product
millenux gmbh anonftp 2.8.1
university of washington wu-ftpd 2.5.0
university of washington wu-ftpd 2.6.0
university of washington wu-ftpd 2.4.2
redhat linux 6.1
redhat linux 5.2
redhat linux 6.0

wu-ftpd, an FTP server, implements a feature whereby multiple files can be fetched in the form of a dynamically constructed archive file, such as a tar archive The names of the files to be included are passed as command line arguments to tar, without protection against them being interpreted as command-line options GNU tar supports several comman ...

source: wwwsecurityfocuscom/bid/2240/info Some FTP servers provide a "conversion" service that pipes a requested file through a program, for example a decompression utility such as "tar", before it is passed to the remote user Under some configurations where this is enabled a remote user can pass a filename beginning with a minus sign to ...

NVD-CWE-Other http://www.debian.org/security/2003/dsa-377 https://nvd.nist.gov https://www.debian.org/security/./dsa-377 https://www.exploit-db.com/exploits/20563/

CVE-1999-0997

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect